CVE-2024-11584

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-11584
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-11584.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-11584
Related
Published
2025-06-26T10:15:24Z
Modified
2025-07-01T15:26:10.779669Z
Summary
[none]
Details

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

References

Affected packages

Debian:11 / cloud-init

Package

Name
cloud-init
Purl
pkg:deb/debian/cloud-init?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.4.1-2
20.4.1-2+deb11u1

21.*

21.2-1
21.3-1
21.3-2
21.4-1
21.4-2
21.4-3

22.*

22.2-1~bpo11+1
22.2-1
22.2-2
22.2-3
22.2-3.1
22.4.2-1

23.*

23.2-1
23.2.1-1
23.3.1-1

24.*

24.1.1-1
24.1.1-2
24.1.3-1
24.1.4-1
24.1.4-2
24.1.6-1
24.1.7-1
24.1.7-2
24.1.7-3
24.2-1
24.3.1-1
24.3.1-2
24.4-1
24.4.1-1
24.4.1-2

25.*

25.1-1
25.1.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / cloud-init

Package

Name
cloud-init
Purl
pkg:deb/debian/cloud-init?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

22.*

22.4.2-1
22.4.2-1+deb12u1
22.4.2-1+deb12u2

23.*

23.2-1
23.2.1-1
23.3.1-1

24.*

24.1.1-1
24.1.1-2
24.1.3-1
24.1.4-1
24.1.4-2
24.1.6-1
24.1.7-1
24.1.7-2
24.1.7-3
24.2-1
24.3.1-1
24.3.1-2
24.4-1
24.4.1-1
24.4.1-2

25.*

25.1-1
25.1.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / cloud-init

Package

Name
cloud-init
Purl
pkg:deb/debian/cloud-init?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

22.*

22.4.2-1

23.*

23.2-1
23.2.1-1
23.3.1-1

24.*

24.1.1-1
24.1.1-2
24.1.3-1
24.1.4-1
24.1.4-2
24.1.6-1
24.1.7-1
24.1.7-2
24.1.7-3
24.2-1
24.3.1-1
24.3.1-2
24.4-1
24.4.1-1
24.4.1-2

25.*

25.1-1
25.1.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/canonical/cloud-init

Affected ranges

Type
GIT
Repo
https://github.com/canonical/cloud-init
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.5.0
0.5.1
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14
0.5.15
0.5.16pre1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9

17.*

17.1
17.2

18.*

18.1
18.2
18.3
18.4
18.5

19.*

19.1
19.2
19.3
19.4

20.*

20.1
20.2
20.3
20.4
20.4.1

21.*

21.1
21.2
21.3
21.4

22.*

22.1
22.2
22.3
22.4

23.*

23.1
23.2
23.3
23.4

24.*

24.2
24.3
24.4

25.*

25.1
25.1.1
25.1.2