CVE-2024-29905

HIGH

DIRAC <8.0.41 - Info Disclosure

Title source: llm

Description

DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a short period of time (sub-millsecond) during the generation process. Version 8.0.41 contains a patch for the issue. As a workaround, setting the `X509_USER_PROXY` environment variable to a path that is inside a directory that is only readable to the current user avoids the potential risk. After the file has been written, it can be safely copied to the standard location (`/tmp/x509up_uNNNN`).

References (2)

[Vendor Advisory] https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-v6f3-gh5h-mqwx

[Patch] https://github.com/DIRACGrid/DIRAC/commit/1faa709341969a6321e29c843ca94039d33b2c3d

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0008

EPSS Percentile 22.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-668

Status published

Products (2)

diracgrid/dirac < 8.0.41

pypi/DIRAC 0 - 8.0.41PyPI

Published Apr 09, 2024

Tracked Since Feb 18, 2026