8.1

CVE-2024-5138

Exploit
The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CanonicalSnapd Version >= 2.51.6 < 2.63.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.83% 0.526
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://bugs.launchpad.net/snapd/+bug/2065077
Patch
Exploit
Issue Tracking
https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14
Patch
https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46
Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2024-5138
Third Party Advisory