CVE-2024-6760 Information

Description

A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have allowing unprivileged users to trace and inspect the behavior of setuid programs.

The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access such as the local password database.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://security.freebsd.org/advisories/FreeBSD-SA-24:06.ktrace.asc

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5