| Name | CVE-2024-3019 |
| Description | A flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1068112 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| pcp (PTS) | jessie | 3.9.10 | vulnerable |
| buster | 4.3.2+really4.3.1-0.1 | fixed |
| bullseye | 5.2.6-1 | vulnerable |
| bookworm | 6.0.3-1.1 | vulnerable |
| trixie | 6.2.0-1 | vulnerable |
| sid | 6.2.0-1.1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| pcp | source | jessie | (unfixed) | end-of-life | | |
| pcp | source | buster | (not affected) | | | |
| pcp | source | (unstable) | (unfixed) | | | 1068112 |
Notes
[bookworm] - pcp <no-dsa> (Minor issue)
[bullseye] - pcp <no-dsa> (Minor issue)
[buster] - pcp <not-affected> (Vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=2271898
Fixed by: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e