ISN 2024-12: Vulnerability in Starter License Verification

First published 15 May 2024

CVSS 3.1: 7.8 (high)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A security vulnerability has been found in the Starter License verification mechanism in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

An issue in the code verifying the validity of the Starter License can enable a local attacker to execute arbitrary commands as a non-privileged user. This vulnerability is rated as high.

IGEL would like to thank Zack Didcott for coordinated disclosure.

Update Instructions

• OS 12: Update to version 12.4.0 of the IGEL OS 12 base system.
• OS 11: Update to IGEL OS version 11.10.100.

References

• CWE-427: Uncontrolled Search Path Element: https://cwe.mitre.org/data/definitions/427.html