Lucene search

CanonicalVULNRICHMENT:CVE-2024-6388

HistoryJun 27, 2024 - 3:39 p.m.

CVE-2024-6388

2024-06-2715:39:04

CWE-497

canonical

github.com

cve-2024-6388

ubuntu advantage desktop daemon

pro token

plaintext argument

CVSS3

5.9

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon, before version 1.12, leaks the Pro token to unprivileged users by passing the token as an argument in plaintext.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:canonical:ubuntu_advantage_desktop_pro:*:*:*:*:*:*:*:*"
    ],
    "vendor": "canonical",
    "product": "ubuntu_advantage_desktop_pro",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.12",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944

github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24

www.cve.org/CVERecord?id=CVE-2024-6388

CVSS3

5.9

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-6388