Snapd Vulnerability: Symbolic Link Attack via snap Extraction
CVE-2024-29069

7.3HIGH

Key Information:

Vendor

Canonical

Status
Vendor
CVE Published:
25 July 2024

What is CVE-2024-29069?

An identified vulnerability in Snapd versions before 2.62 arises from the improper handling of symbolic links during the extraction process of snap packages. The snap format, which utilizes squashfs file-system images, permits the inclusion of various file types including symbolic links. If an attacker persuades a user to install a malicious snap containing specially crafted symbolic links, it could lead to the unintentional disclosure of sensitive content into directories accessible by all users. This issue poses a significant risk by potentially allowing unprivileged users access to confidential information meant for elevated privileges.

Affected Version(s)

snapd Linux 0 < 2.62

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

Zeyad Gouda
.