CVE-2024-3250

2024-04-0415:15:39

canonical

web.nvd.nist.gov

pebble

read-file api

permissions

vulnerability

backports

nvd

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

9.0%

JSON

It was discovered that Canonical’s Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.

CNA Affected

[
  {
    "packageName": "pebble",
    "product": "Pebble",
    "vendor": "Canonical Ltd.",
    "repo": "https://github.com/canonical/pebble",
    "platforms": [
      "Linux"
    ],
    "versions": [
      {
        "lessThan": "v1.10.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]