CVE-2024-24582 - Vulnerability Details

Improper input validation in XmlCli feature for UEFI firmware for some Intel(R) processors may allow privileged user to potentially enable escalation of privilege via local access.

Attack Vector Local

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7.7 Advanced Update Support
microcode_ctl-2:2.1-53.25.el7_7.1	cpe:/o:redhat:rhel_aus:7.7	RHBA-2025:2428	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
microcode_ctl-2:2.1-73.23.el7_9	cpe:/o:redhat:rhel_els:7	RHEA-2025:2427	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
microcode_ctl-4:20191115-4.20250211.1.el8_2	cpe:/o:redhat:rhel_aus:8.2	RHEA-2025:2424	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
microcode_ctl-4:20210216-1.20250211.1.el8_4	cpe:/o:redhat:rhel_aus:8.4	RHEA-2025:2423	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
microcode_ctl-4:20210216-1.20250211.1.el8_4	cpe:/o:redhat:rhel_tus:8.4	RHEA-2025:2423	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
microcode_ctl-4:20210216-1.20250211.1.el8_4	cpe:/o:redhat:rhel_e4s:8.4	RHEA-2025:2423	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
microcode_ctl-4:20220207-1.20250211.1.el8_6	cpe:/o:redhat:rhel_aus:8.6	RHEA-2025:2422	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
microcode_ctl-4:20220207-1.20250211.1.el8_6	cpe:/o:redhat:rhel_tus:8.6	RHEA-2025:2422	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
microcode_ctl-4:20220207-1.20250211.1.el8_6	cpe:/o:redhat:rhel_e4s:8.6	RHEA-2025:2422	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
microcode_ctl-4:20220809-2.20250211.1.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHEA-2025:2421	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 9
microcode_ctl-4:20240910-1.20250211.1.el9_5	cpe:/o:redhat:enterprise_linux:9	RHBA-2025:2991	2025-03-18T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
microcode_ctl-4:20220207-1.20250211.1.el9_0	cpe:/o:redhat:rhel_e4s:9.0	RHEA-2025:2419	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
microcode_ctl-4:20220809-2.20250211.1.el9_2	cpe:/o:redhat:rhel_eus:9.2	RHEA-2025:2420	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
microcode_ctl-4:20230808-2.20250211.1.el9_4	cpe:/o:redhat:rhel_eus:9.4	RHEA-2025:2418	2025-03-06T00:00:00Z

References

Link	Providers
https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
https://nvd.nist.gov/vuln/detail/CVE-2024-24582
https://www.cve.org/CVERecord?id=CVE-2024-24582

History

Fri, 21 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux Redhat rhel Els
CPEs		cpe:/o:redhat:enterprise_linux:9 cpe:/o:redhat:rhel_aus:8.2 cpe:/o:redhat:rhel_aus:8.4 cpe:/o:redhat:rhel_e4s:8.4 cpe:/o:redhat:rhel_e4s:9.0 cpe:/o:redhat:rhel_els:7 cpe:/o:redhat:rhel_eus:8.8 cpe:/o:redhat:rhel_eus:9.2 cpe:/o:redhat:rhel_tus:8.4
Vendors & Products		Redhat enterprise Linux Redhat rhel Els

Thu, 20 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/o:redhat:rhel_aus:7.7 cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_eus:9.4 cpe:/o:redhat:rhel_tus:8.6
Vendors & Products		Redhat Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus

Fri, 14 Feb 2025 01:45:00 +0000

Type	Values Removed	Values Added
Title		microcode_ctl: Improper input validation in XmlCli feature for UEFI firmware
References		https://nvd.nist.gov/vuln/detail/CVE-2024-24582 https://www.cve.org/CVERecord?id=CVE-2024-24582
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 13 Feb 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 12 Feb 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		Improper input validation in XmlCli feature for UEFI firmware for some Intel(R) processors may allow privileged user to potentially enable escalation of privilege via local access.
Weaknesses		CWE-20
References		https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: intel

Published: 2025-02-12T21:19:27.722Z

Updated: 2025-02-13T19:49:24.698Z

Reserved: 2024-03-27T03:00:07.339Z

Link: CVE-2024-24582

Vulnrichment

Updated: 2025-02-13T19:49:08.242Z

NVD

Status : Received

Published: 2025-02-12T22:15:31.367

Modified: 2025-02-12T22:15:31.367

Link: CVE-2024-24582

Redhat

Severity : Important

Publid Date: 2025-02-12T21:19:27Z

Links: CVE-2024-24582 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object