x/vulndb: potential Go vuln in github.com/snapcore/snapd: GHSA-jrr7-64m9-x984

[GoVulnBot]

Advisory GHSA-jrr7-64m9-x984 references a vulnerability in the following Go modules:

Module
github.com/snapcore/snapd

Description:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-p9v8-q5m4-pf46. This link is maintained to preserve external references.

Original Description

The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged u...

References:

• ADVISORY: GHSA-jrr7-64m9-x984
• FIX: canonical/snapd@68ee9c6
• WEB: https://bugs.launchpad.net/snapd/+bug/2065077
• WEB: GHSA-p9v8-q5m4-pf46
• WEB: https://nvd.nist.gov/vuln/detail/CVE-2024-5138
• WEB: https://www.cve.org/CVERecord?id=CVE-2024-5138

Cross references:

• github.com/snapcore/snapd appears in 8 other report(s):
  • data/excluded/GO-2023-2034.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2023-1523 #2034) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2198.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2017-14178 #2198) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2233.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2019-11503 #2233) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2024-2468.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: GHSA-cjqf-877p-7m3f #2468)
  • data/reports/GO-2024-2906.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2024-5138 #2906)
  • data/reports/GO-2024-3007.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2024-1724 #3007)
  • data/reports/GO-2024-3008.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2024-29068 #3008)
  • data/reports/GO-2024-3009.yaml (x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2024-29069 #3009)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/snapcore/snapd
      non_go_versions:
        - introduced: 2.51.6
        - fixed: 2.63.1
      vulnerable_at: 0.0.0-20250116135323-846e5de90cba
summary: 'Duplicate Advisory: CVE-2024-5138: snapd snapctl auth bypass in github.com/snapcore/snapd'
ghsas:
    - GHSA-jrr7-64m9-x984
references:
    - advisory: https://github.com/advisories/GHSA-jrr7-64m9-x984
    - fix: https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14
    - web: https://bugs.launchpad.net/snapd/+bug/2065077
    - web: https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-5138
    - web: https://www.cve.org/CVERecord?id=CVE-2024-5138
source:
    id: GHSA-jrr7-64m9-x984
    created: 2025-01-16T18:01:28.964363575Z
review_status: UNREVIEWED