CVE-2024-20328

2024-03-0121:15:07

Debian Security Bug Tracker

security-tracker.debian.org

cve-2024-20328

clamav

virusevent

vulnerability

local attacker

arbitrary commands

file names

software updates

unix

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.7%

JSON

A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

OSVersionArchitecturePackageVersionFilename
Debian12allclamav<= 1.0.3+dfsg-1~deb12u1clamav_1.0.3+dfsg-1~deb12u1_all.deb
Debian11allclamav< 0.103.10+dfsg-0+deb11u1clamav_0.103.10+dfsg-0+deb11u1_all.deb
Debian10allclamav< 0.103.6+dfsg-0+deb10u1clamav_0.103.6+dfsg-0+deb10u1_all.deb
Debian999allclamav< 1.0.5+dfsg-1clamav_1.0.5+dfsg-1_all.deb
Debian13allclamav< 1.0.5+dfsg-1clamav_1.0.5+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	clamav	<= 1.0.3+dfsg-1~deb12u1	clamav_1.0.3+dfsg-1~deb12u1_all.deb
Debian	11	all	clamav	< 0.103.10+dfsg-0+deb11u1	clamav_0.103.10+dfsg-0+deb11u1_all.deb
Debian	10	all	clamav	< 0.103.6+dfsg-0+deb10u1	clamav_0.103.6+dfsg-0+deb10u1_all.deb
Debian	999	all	clamav	< 1.0.5+dfsg-1	clamav_1.0.5+dfsg-1_all.deb
Debian	13	all	clamav	< 1.0.5+dfsg-1	clamav_1.0.5+dfsg-1_all.deb