GHSA-jrr7-64m9-x984

Source

https://github.com/advisories/GHSA-jrr7-64m9-x984

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jrr7-64m9-x984/GHSA-jrr7-64m9-x984.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jrr7-64m9-x984

Withdrawn

2025-01-16T17:19:00Z

Published

2024-05-31T21:30:55Z

Modified

2025-01-16T17:19:00Z

Summary

Duplicate Advisory: CVE-2024-5138: snapd snapctl auth bypass

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-p9v8-q5m4-pf46. This link is maintained to preserve external references.

Original Description

The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.

Database specific

{
    "nvd_published_at": "2024-05-31T21:15:09Z",
    "severity": "HIGH",
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-16T17:19:00Z"
}

References

Affected packages

Go / github.com/snapcore/snapd

Package

Name: github.com/snapcore/snapd; View open source insights on deps.dev
Purl: pkg:golang/github.com/snapcore/snapd

Affected ranges

Type: SEMVER
Events: Introduced

2.51.6

Fixed

2.63.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jrr7-64m9-x984/GHSA-jrr7-64m9-x984.json"