Snapd Vulnerability: Symbolic Link Attack via snap Extraction
CVE-2024-29069
7.3HIGH
Summary
An identified vulnerability in Snapd versions before 2.62 arises from the improper handling of symbolic links during the extraction process of snap packages. The snap format, which utilizes squashfs file-system images, permits the inclusion of various file types including symbolic links. If an attacker persuades a user to install a malicious snap containing specially crafted symbolic links, it could lead to the unintentional disclosure of sensitive content into directories accessible by all users. This issue poses a significant risk by potentially allowing unprivileged users access to confidential information meant for elevated privileges.
Affected Version(s)
snapd Linux 0 < 2.62
References
CVSS V3.1
Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Credit
Zeyad Gouda