Improper Verification of Cryptographic Signature Vulnerability Allows File Manipulation Through Snow Update Packages
CVE-2024-1149

7.8HIGH

Key Information:

Vendor: Snow Software
Status: Inventory Agent
Vendor: CVE Published:; 8 February 2024

🔔 Create Snow Software Vulnerability Alert

What is CVE-2024-1149?

An improper verification of cryptographic signature vulnerability exists in the Snow Software Inventory Agent, affecting its functionality on MacOS, Windows, and Linux platforms. This flaw allows for potential file manipulation through Snow Update Packages, putting user data and system integrity at risk. Products affected include versions of the Inventory Agent up to 6.12.0 for MacOS, 6.14.5 for Windows, and 6.7.2 for Linux. It is crucial for users to update to the latest versions to mitigate this vulnerability.

Affected Version(s)

Inventory Agent Linux 0 <= 6.7.2

Inventory Agent MacOS 0 <= 6.12.0

Inventory Agent Windows 0 <= 6.14.5

References

https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2024
Vulnerability Reserved
Feb 1, 2024