Incorrect Permission Assignment for Critical Resource

CVE-2024-1724

High

8.2/10

Summary

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the "$HOME/bin" path. In Ubuntu, when this path exists, it is automatically added to the user's PATH. An attacker who could convince a user to install a malicious snap that used the 'home' plug could use this vulnerability to install arbitrary scripts into the user's PATH, which may then be run by the user outside of the expected snap sandbox, allowing them to escape confinement.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

Advisory Timeline

Published Jul 25, 2024

Incorrect Permission Assignment for Critical Resource

CVE-2024-1724

Summary

CWE-732 - Incorrect Permission Assignment for Critical Resource

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS