Incorrect Permission Assignment for Critical Resource (CVE-2024-1724)

admin 2024-07-29 22:06:09 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
中危 Incorrect Permission Assignment for Critical Resource (CVE-2024-1724)

CVE编号

CVE-2024-1724

利用情况

暂无

补丁情况

官方补丁

披露时间

2024-07-25
漏洞描述
In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://access.redhat.com/security/cve/CVE-2024-1724
https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6
https://github.com/snapcore/snapd/pull/13689
https://gld.mcphail.uk/posts/explaining-cve-2024-1724/
阿里云评分 4.2
  • 攻击路径 本地
  • 攻击复杂度 困难
  • 权限要求 管控权限
  • 影响范围 有限影响
  • EXP成熟度 未验证
  • 补丁情况 官方补丁
  • 数据保密性 无影响
  • 数据完整性 无影响
  • 服务器危害 无影响
  • 全网数量 N/A
CWE-ID 漏洞类型
CWE-732 关键资源的不正确权限授予
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论:0   参与:  0