Home > Vulnerability Database > CVE-2024-1724

Mend.io Vulnerability Database

CVE-2024-1724

Date: July 25, 2024

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.

Language: Go

Severity Score

6.3

Related Resources (10)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1724

Url: https://gld.mcphail.uk/posts/explaining-cve-2024-1724

Url: https://github.com/advisories/GHSA-4mh8-9689-38vr

Url: https://pkg.go.dev/vuln/GO-2024-3007

Url: https://github.com/snapcore/snapd/pull/13689

Url: https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6

Url: https://github.com/snapcore/snapd

Url: https://gld.mcphail.uk/posts/explaining-cve-2024-1724/

Url: https://security-tracker.debian.org/tracker/CVE-2024-1724

Url: https://www.mend.io/vulnerability-database/CVE-2024-1724

Severity Score

6.3

Weakness Type (CWE)

Incorrect Permission Assignment for Critical Resource

CWE-732

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1724

Date: July 25, 2024

Language: Go

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?