Strix
26.1K

CVE-2024-45044

HIGHCVSS 8.8/10EPSS 0.53%

Last modified

CVE-2024-45044 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. EPSS estimates a 0.53% chance of exploitation in the next 30 days.

Description

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.53%

40.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2024-45044?
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.
How severe is CVE-2024-45044?
CVE-2024-45044 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.53% probability of exploitation in the next 30 days.
How do I fix CVE-2024-45044?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-45044?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST