CVE-2024-5138 (GCVE-0-2024-5138)

Vulnerability from cvelistv5 – Published: 2024-05-31 21:02 – Updated: 2024-09-06 19:48

Summary

The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

canonical

References

URL

Tags

	https://github.com/snapcore/snapd/commit/68ee9c6a…	patch
	https://bugs.launchpad.net/snapd/+bug/2065077	issue-tracking
	https://www.cve.org/CVERecord?id=CVE-2024-5138	issue-tracking
	https://github.com/snapcore/snapd/security/adviso…	issue-tracking

Impacted products

	Vendor	Product	Version
	Canonical Ltd.	snapd	Affected: 0 , < 68ee9c6aa916ab87dbfd9a26030690f2cabf1e14 (custom)

Credits

Rory McNamara from Snyk Security Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:03:10.778Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "snapd",
            "vendor": "canonical",
            "versions": [
              {
                "lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
                "status": "affected",
                "version": "0",
                "versionType": "git"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-5138",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T19:03:04.672013Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-20",
                "description": "CWE-20 Improper Input Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T19:48:49.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "snapd",
          "repo": "https://github.com/snapcore/snapd",
          "vendor": "Canonical Ltd.",
          "versions": [
            {
              "lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rory McNamara from Snyk Security Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-19T01:17:51.897Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2024-5138",
    "datePublished": "2024-05-31T21:02:19.979Z",
    "dateReserved": "2024-05-19T22:29:02.330Z",
    "dateUpdated": "2024-09-06T19:48:49.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.\"}, {\"lang\": \"es\", \"value\": \"El componente snapctl dentro de snapd permite que un complemento confinado interact\\u00fae con el daemon snapd para realizar ciertas acciones privilegiadas en nombre del complemento. Se descubri\\u00f3 que snapctl no analizaba adecuadamente los argumentos de la l\\u00ednea de comandos, lo que permit\\u00eda a un usuario sin privilegios activar una acci\\u00f3n autorizada en nombre del complemento que normalmente requerir\\u00eda privilegios de administrador para realizarse. Esto posiblemente podr\\u00eda permitir que un usuario sin privilegios realice una denegaci\\u00f3n de servicio o algo similar.\"}]",
      "id": "CVE-2024-5138",
      "lastModified": "2024-11-21T09:47:03.263",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
      "published": "2024-05-31T21:15:09.930",
      "references": "[{\"url\": \"https://bugs.launchpad.net/snapd/+bug/2065077\", \"source\": \"security@ubuntu.com\"}, {\"url\": \"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"source\": \"security@ubuntu.com\"}, {\"url\": \"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\", \"source\": \"security@ubuntu.com\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-5138\", \"source\": \"security@ubuntu.com\"}, {\"url\": \"https://bugs.launchpad.net/snapd/+bug/2065077\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-5138\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@ubuntu.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-5138\",\"sourceIdentifier\":\"security@ubuntu.com\",\"published\":\"2024-05-31T21:15:09.930\",\"lastModified\":\"2025-08-26T17:21:12.027\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.\"},{\"lang\":\"es\",\"value\":\"El componente snapctl dentro de snapd permite que un complemento confinado interact\u00fae con el daemon snapd para realizar ciertas acciones privilegiadas en nombre del complemento. Se descubri\u00f3 que snapctl no analizaba adecuadamente los argumentos de la l\u00ednea de comandos, lo que permit\u00eda a un usuario sin privilegios activar una acci\u00f3n autorizada en nombre del complemento que normalmente requerir\u00eda privilegios de administrador para realizarse. Esto posiblemente podr\u00eda permitir que un usuario sin privilegios realice una denegaci\u00f3n de servicio o algo similar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.51.6\",\"versionEndExcluding\":\"2.63.1\",\"matchCriteriaId\":\"3929DBD2-3EFE-418A-AEB8-3D4DEF3E694F\"}]}]}],\"references\":[{\"url\":\"https://bugs.launchpad.net/snapd/+bug/2065077\",\"source\":\"security@ubuntu.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\",\"source\":\"security@ubuntu.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\",\"source\":\"security@ubuntu.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-5138\",\"source\":\"security@ubuntu.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.launchpad.net/snapd/+bug/2065077\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-5138\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://bugs.launchpad.net/snapd/+bug/2065077\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-5138\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}, {\"url\": \"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:03:10.778Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5138\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-07T19:03:04.672013Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*\"], \"vendor\": \"canonical\", \"product\": \"snapd\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"versionType\": \"git\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-12T20:28:30.938Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Rory McNamara from Snyk Security Labs\"}], \"affected\": [{\"repo\": \"https://github.com/snapcore/snapd\", \"vendor\": \"Canonical Ltd.\", \"product\": \"snapd\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"versionType\": \"custom\"}], \"platforms\": [\"Linux\"], \"packageName\": \"snapd\"}], \"references\": [{\"url\": \"https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\", \"tags\": [\"patch\"]}, {\"url\": \"https://bugs.launchpad.net/snapd/+bug/2065077\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-5138\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46\", \"tags\": [\"issue-tracking\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.\"}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2024-06-19T01:17:51.897Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-5138\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-06T19:48:49.508Z\", \"dateReserved\": \"2024-05-19T22:29:02.330Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2024-05-31T21:02:19.979Z\", \"assignerShortName\": \"canonical\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-5138

Vulnerability from fkie_nvd - Published: 2024-05-31 21:15 - Updated: 2025-08-26 17:21

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

URL	Tags
security@ubuntu.com	https://bugs.launchpad.net/snapd/+bug/2065077	Exploit, Issue Tracking, Patch
security@ubuntu.com	https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14	Patch
security@ubuntu.com	https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46	Vendor Advisory
security@ubuntu.com	https://www.cve.org/CVERecord?id=CVE-2024-5138	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/snapd/+bug/2065077	Exploit, Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.cve.org/CVERecord?id=CVE-2024-5138	Third Party Advisory

Impacted products

	Vendor	Product	Version
	canonical	snapd	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3929DBD2-3EFE-418A-AEB8-3D4DEF3E694F",
              "versionEndExcluding": "2.63.1",
              "versionStartIncluding": "2.51.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar."
    },
    {
      "lang": "es",
      "value": "El componente snapctl dentro de snapd permite que un complemento confinado interact\u00fae con el daemon snapd para realizar ciertas acciones privilegiadas en nombre del complemento. Se descubri\u00f3 que snapctl no analizaba adecuadamente los argumentos de la l\u00ednea de comandos, lo que permit\u00eda a un usuario sin privilegios activar una acci\u00f3n autorizada en nombre del complemento que normalmente requerir\u00eda privilegios de administrador para realizarse. Esto posiblemente podr\u00eda permitir que un usuario sin privilegios realice una denegaci\u00f3n de servicio o algo similar."
    }
  ],
  "id": "CVE-2024-5138",
  "lastModified": "2025-08-26T17:21:12.027",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-31T21:15:09.930",
  "references": [
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
    },
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
    },
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
    },
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
    }
  ],
  "sourceIdentifier": "security@ubuntu.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-JRR7-64M9-X984

Vulnerability from github – Published: 2024-05-31 21:30 – Updated: 2025-01-16 17:19

Summary

Duplicate Advisory: CVE-2024-5138: snapd snapctl auth bypass

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-p9v8-q5m4-pf46. This link is maintained to preserve external references.

Original Description

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/snapcore/snapd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.51.6"
            },
            {
              "fixed": "2.63.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-16T17:19:00Z",
    "nvd_published_at": "2024-05-31T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-p9v8-q5m4-pf46. This link is maintained to preserve external references.\n\n# Original Description\nThe snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.",
  "id": "GHSA-jrr7-64m9-x984",
  "modified": "2025-01-16T17:19:00Z",
  "published": "2024-05-31T21:30:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Duplicate Advisory: CVE-2024-5138: snapd snapctl auth bypass",
  "withdrawn": "2025-01-16T17:19:00Z"
}

GHSA-P9V8-Q5M4-PF46

Vulnerability from github – Published: 2025-01-16 17:19 – Updated: 2025-01-16 17:19

Summary

CVE-2024-5138: snapd snapctl auth bypass

Details

Impact

A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run --shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested.

Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory.

Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior.

Patches

Patch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14 Release: Available from Snapd 2.64

Workarounds

Users may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the host-hunspell plug, which is of type mount-control. The interface can be disconnected with:

sudo snap disconnect firefox:host-hunspell

References

The original bug report was made on Launchpad: https://bugs.launchpad.net/snapd/+bug/2065077 CVE.org: https://www.cve.org/CVERecord?id=CVE-2024-5138 Canonical: https://ubuntu.com/security/CVE-2024-5138

Severity ?

4.0 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/snapcore/snapd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.51.6"
            },
            {
              "fixed": "2.63.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/snapcore/snapd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20240524114846-68ee9c6aa916"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-5138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-16T17:19:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using `snap run --shell firefox` followed by `snapctl mount`, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested.\n\nUnprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory.\n\nOther attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior.\n\n### Patches\n\nPatch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\nRelease: Available from Snapd 2.64\n\n### Workarounds\n\nUsers may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the `host-hunspell` plug, which is of type `mount-control`. The interface can be disconnected with:\n\n```sh\nsudo snap disconnect firefox:host-hunspell\n```\n\n### References\n\nThe original bug report was made on Launchpad: https://bugs.launchpad.net/snapd/+bug/2065077\nCVE.org: https://www.cve.org/CVERecord?id=CVE-2024-5138\nCanonical: https://ubuntu.com/security/CVE-2024-5138",
  "id": "GHSA-p9v8-q5m4-pf46",
  "modified": "2025-01-16T17:19:07Z",
  "published": "2025-01-16T17:19:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/snapd"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2024-5138"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CVE-2024-5138: snapd snapctl auth bypass"
}

WID-SEC-W-2025-0113

Vulnerability from csaf_certbund - Published: 2025-01-16 23:00 - Updated: 2025-01-16 23:00

Summary

Canonical Snap: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Snap (auch bekannt als Snappy) ist ein Softwareverteilungssystem und eine Paketverwaltung für Linux.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in Canonical Snap ausnutzen, um Sicherheitsvorkehrungen zu umgehen, was zu einem Denial-of-Service-Zustand oder Datenmanipulation führen kann.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Snap (auch bekannt als Snappy) ist ein Softwareverteilungssystem und eine Paketverwaltung f\u00fcr Linux.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in Canonical Snap ausnutzen, um Sicherheitsvorkehrungen zu umgehen, was zu einem Denial-of-Service-Zustand oder Datenmanipulation f\u00fchren kann.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0113 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0113.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0113 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0113"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2025-01-16",
        "url": "https://github.com/advisories/GHSA-p9v8-q5m4-pf46"
      }
    ],
    "source_lang": "en-US",
    "title": "Canonical Snap: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2025-01-16T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-17T09:43:19.564+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0113",
      "initial_release_date": "2025-01-16T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-16T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.63.1",
                "product": {
                  "name": "Canonical Snap \u003c2.63.1",
                  "product_id": "T040375"
                }
              },
              {
                "category": "product_version",
                "name": "2.63.1",
                "product": {
                  "name": "Canonical Snap 2.63.1",
                  "product_id": "T040375-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:canonical:snapd:2.63.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Snap"
          }
        ],
        "category": "vendor",
        "name": "Canonical"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-5138",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Canonical Snap. Die snapctl-Komponente kann Befehlszeilenargumente nicht richtig analysieren, wodurch autorisierte Aktionen, im Namen eines eingeschr\u00e4nkten Snap ausgef\u00fchrt werden k\u00f6nnen. Ein lokaler, nicht privilegierter Angreifer kann diese Schwachstelle ausnutzen, um die Authentifizierung zu umgehen, was zu einem Denial-of-Service-Zustand oder Datenmanipulation f\u00fchren kann."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040375"
        ]
      },
      "release_date": "2025-01-16T23:00:00.000+00:00",
      "title": "CVE-2024-5138"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-5138 (GCVE-0-2024-5138)

FKIE_CVE-2024-5138

GHSA-JRR7-64M9-X984

Duplicate Advisory

Original Description

GHSA-P9V8-Q5M4-PF46

Impact

Patches

Workarounds

References

WID-SEC-W-2025-0113

Tags

Sightings

Nomenclature