x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2017-14178

[tatianab]

CVE-2017-14178 references github.com/snapcore/snapd, which may be a Go module.

Description:
In snapd 2.27 through 2.29.2 the 'snap logs' command could be made to call journalctl without match arguments and therefore allow unprivileged, unauthenticated users to bypass systemd-journald's access restrictions.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2017-14178
• web: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14178.html
• web: https://launchpad.net/bugs/1730255
• fix: daemon: for /v2/logs, 404 when no services are found canonical/snapd#4194
• Imported by: https://pkg.go.dev/github.com/snapcore/snapd?tab=importedby

Cross references:

• Module github.com/snapcore/snapd appears in issue x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2023-1523 #2034 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/snapcore/snapd
      vulnerable_at: 0.0.0-20231108120709-a90520700167
      packages:
        - package: snapd
cves:
    - CVE-2017-14178
credits:
    - Robert Ancell
references:
    - web: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14178.html
    - web: https://launchpad.net/bugs/1730255
    - fix: https://github.com/snapcore/snapd/pull/4194

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports