CVE-2024-3019
HIGHPCP pmproxy >=4.3.4 - Remote Command Execution via Exposed Redis Backend
Title source: manualDescription
A flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.
References (10)
Core 10
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:2566
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3264
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3321
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3323
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3324
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3325
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3392
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-3019
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2271898
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3322
Scores
CVSS v3
8.8
EPSS
0.0100
EPSS Percentile
58.2%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-668
Status
published
Products (13)
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
0:5.3.7-20.el8_10
Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support
0:5.0.2-8.el8_2
Red Hat/Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
0:5.2.5-7.el8_4
Red Hat/Red Hat Enterprise Linux 8.4 Telecommunications Update Service
0:5.2.5-7.el8_4
Red Hat/Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
0:5.2.5-7.el8_4
Red Hat/Red Hat Enterprise Linux 8.6 Extended Update Support
0:5.3.5-9.el8_6
Red Hat/Red Hat Enterprise Linux 8.8 Extended Update Support
0:5.3.7-18.el8_8
... and 3 more
Published
Mar 28, 2024
Tracked Since
Feb 18, 2026