Lucene search

GoogleOSV:GO-2024-3008

HistoryAug 06, 2024 - 10:03 p.m.

snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd

2024-08-0622:03:16

Google

osv.dev

snapd

file type check

vulnerability

github.com/snapcore/snapd

software

v2.62.0

CVSS3

6.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

AI Score

6.5

Confidence

Low

JSON

snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

References

github.com/advisories/GHSA-64jh-cjwc-w8q6

github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063

github.com/snapcore/snapd/pull/13682

nvd.nist.gov/vuln/detail/CVE-2024-29068

CVSS3

6.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

AI Score

6.5

Confidence

Low

JSON

Related for OSV:GO-2024-3008