Home > Vulnerability Database > CVE-2024-29069

Mend.io Vulnerability Database

CVE-2024-29069

Good to know:

Date: July 25, 2024

In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.

Language: Go

Severity Score

4.8

Related Resources (7)

Url: https://github.com/snapcore/snapd/pull/13682

Url: https://pkg.go.dev/vuln/GO-2024-3009

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-29069

Url: https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063

Url: https://github.com/snapcore/snapd

Url: https://github.com/advisories/GHSA-69p6-gp5x-j269

Url: https://www.mend.io/vulnerability-database/CVE-2024-29069

Severity Score

4.8

Weakness Type (CWE)

Externally Controlled Reference to a Resource in Another Sphere

CWE-610

Link Following

CWE-59

Top Fix

Upgrade Version

Upgrade to version github.com/snapcore/snapd-2.62

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-29069

Good to know:

Date: July 25, 2024

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?