Lucene search

GoogleOSV:GO-2024-3007

HistoryAug 06, 2024 - 10:03 p.m.

snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd

2024-08-0622:03:16

Google

osv.dev

snapd; restrict writes; $home/bin; github.com/snapcore/snapd; vulnerability scanners; false-positive reports; additional affected modules; versions; v2.62.0

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

20.8%

JSON

snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

References

github.com/advisories/GHSA-4mh8-9689-38vr

github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6

github.com/snapcore/snapd/pull/13689

gld.mcphail.uk/posts/explaining-cve-2024-1724

nvd.nist.gov/vuln/detail/CVE-2024-1724

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

20.8%

JSON

Related for OSV:GO-2024-3007