CVE-2024-5138 (GCVE-0-2024-5138)
Vulnerability from cvelistv5
Published
2024-05-31 21:02
Modified
2024-09-06 19:48
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.
References
Impacted products
Vendor Product Version
Canonical Ltd. snapd Version: 0   < 68ee9c6aa916ab87dbfd9a26030690f2cabf1e14
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:03:10.778Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "snapd",
            "vendor": "canonical",
            "versions": [
              {
                "lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
                "status": "affected",
                "version": "0",
                "versionType": "git"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-5138",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T19:03:04.672013Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-20",
                "description": "CWE-20 Improper Input Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T19:48:49.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "snapd",
          "repo": "https://github.com/snapcore/snapd",
          "vendor": "Canonical Ltd.",
          "versions": [
            {
              "lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rory McNamara from Snyk Security Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-19T01:17:51.897Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2024-5138",
    "datePublished": "2024-05-31T21:02:19.979Z",
    "dateReserved": "2024-05-19T22:29:02.330Z",
    "dateUpdated": "2024-09-06T19:48:49.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://bugs.launchpad.net/snapd/+bug/2065077\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-5138\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}, {\"url\": \"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:03:10.778Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5138\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-07T19:03:04.672013Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*\"], \"vendor\": \"canonical\", \"product\": \"snapd\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"versionType\": \"git\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-12T20:28:30.938Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Rory McNamara from Snyk Security Labs\"}], \"affected\": [{\"repo\": \"https://github.com/snapcore/snapd\", \"vendor\": \"Canonical Ltd.\", \"product\": \"snapd\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"versionType\": \"custom\"}], \"platforms\": [\"Linux\"], \"packageName\": \"snapd\"}], \"references\": [{\"url\": \"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"tags\": [\"patch\"]}, {\"url\": \"https://bugs.launchpad.net/snapd/+bug/2065077\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-5138\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\", \"tags\": [\"issue-tracking\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.\"}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2024-06-19T01:17:51.897Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-5138\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-06T19:48:49.508Z\", \"dateReserved\": \"2024-05-19T22:29:02.330Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2024-05-31T21:02:19.979Z\", \"assignerShortName\": \"canonical\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.