Snapd Vulnerability: Symbolic Link Attack via snap Extraction
CVE-2024-29069

7.3HIGH

Key Information:

Vendor: Canonical
Status: Snapd
Vendor: CVE Published:; 25 July 2024

What is CVE-2024-29069?

An identified vulnerability in Snapd versions before 2.62 arises from the improper handling of symbolic links during the extraction process of snap packages. The snap format, which utilizes squashfs file-system images, permits the inclusion of various file types including symbolic links. If an attacker persuades a user to install a malicious snap containing specially crafted symbolic links, it could lead to the unintentional disclosure of sensitive content into directories accessible by all users. This issue poses a significant risk by potentially allowing unprivileged users access to confidential information meant for elevated privileges.

Affected Version(s)

snapd Linux 0 < 2.62

References

https://github.com/snapcore/snapd/pull/13682

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 25, 2024

Credit

Zeyad Gouda

Canonical

What is CVE-2024-29069?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit