Fluid Attacks Database

Description

An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root). Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	wpa	=2:2.10-12 \|\| =2:2.10-12+deb12u1 \|\| >=0 <2:2.10-12+deb12u2	2:2.10-12+deb12u2
debian 13	wpa	>=0 <2:2.10-22	2:2.10-22
debian 14	wpa	>=0 <2:2.10-22	2:2.10-22
debian 11	wpa	=2:2.9.0-21 \|\| =2:2.9.0-21+deb11u1 \|\| >=0 <2:2.9.0-21+deb11u2	2:2.9.0-21+deb11u2
rpm rhel9	wpa_supplicant	-	-
rpm rhel10	wpa_supplicant	-	-
rpm rhel6	wpa_supplicant	-	-

Aliases

1. CVE-2024-52902. NVD-2024-52903. OSV-DEBIAN-2024-52904. OSV-2024-52905. SECURITY-TRACKER-CVE-2024-5290

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.