CVE-2024-45044

Name of the Vulnerable Software and Affected Versions Bareos versions prior to 21.1.11 Bareos versions prior to 22.1.6 Bareos versions prior to 23.0.4

Description The issue concerns the command ACL in Bareos, where command restrictions can be bypassed using abbreviations. When a command ACL is in place and a user executes a command in bconsole using an abbreviation, the ACL check applies to the abbreviated form instead of the full form. This allows users to execute commands that should be forbidden by the ACL. The problem does not occur if only positive command ACLs are used without any negation.

Recommendations For versions prior to 21.1.11, update to version 21.1.11 or later. For versions prior to 22.1.6, update to version 22.1.6 or later. For versions prior to 23.0.4, update to version 23.0.4 or later. As a temporary workaround, consider disabling the use of abbreviated commands in bconsole until a patch is available. Restrict access to the command ACL component to minimize the risk of exploitation. Avoid using negative ACLs with abbreviations in the command ACL configuration until the issue is resolved.