CVE-2024-1724

In snapd versions prior to 2.62, when using AppArmor for enforcement of 
sandbox permissions, snapd failed to restrict writes to the $HOME/bin
path. In Ubuntu, when this path exists, it is automatically added to
the users PATH. An attacker who could convince a user to install a
malicious snap which used the 'home' plug could use this vulnerability
to install arbitrary scripts into the users PATH which may then be run
by the user outside of the expected snap sandbox and hence allow them
to escape confinement.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
canonicalCNA
6.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
canonicalsnapd
𝑥
< 2.62
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
snapd
bullseye (security)
vulnerable
bullseye
no-dsa
bookworm
no-dsa
sid
2.68.3-2
fixed
trixie
2.68.3-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
snapd
oracular
Fixed 2.63+24.10
released
noble
Fixed 2.62+24.04build1
released
mantic
ignored
jammy
Fixed 2.63+22.04ubuntu0.1
released
focal
Fixed 2.63+20.04ubuntu0.1
released
bionic
Fixed 2.61.4ubuntu0.18.04.1+esm1
released
xenial
Fixed 2.61.4ubuntu0.16.04.1+esm1
released
trusty
ignored
Common Weakness Enumeration
References
https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6
https://github.com/snapcore/snapd/pull/13689
https://gld.mcphail.uk/posts/explaining-cve-2024-1724/
https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6
https://github.com/snapcore/snapd/pull/13689
https://gld.mcphail.uk/posts/explaining-cve-2024-1724/