Lucene search

GoogleOSV:GO-2024-3009

HistoryAug 06, 2024 - 10:03 p.m.

snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd

2024-08-0622:03:16

Google

osv.dev

snapd

symbolic links

vulnerability

github

software

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

JSON

snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

References

github.com/advisories/GHSA-69p6-gp5x-j269

github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063

github.com/snapcore/snapd/pull/13682

nvd.nist.gov/vuln/detail/CVE-2024-29069

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

JSON

Related for OSV:GO-2024-3009