VulnerableCode Package Details - pkg:golang/github.com/snapcore/snapd@2.62.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4g5y-gcrx-d7ad	In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.	CVE-2024-29069 GHSA-69p6-gp5x-j269
VCID-awda-tuhp-d3gm	In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular files (such as pipes or sockets etc). Various file entries within the snap squashfs image (such as icons etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained non-regular files at these paths could then cause snapd to block indefinitely trying to read from such files and cause a denial of service.	CVE-2024-29068 GHSA-64jh-cjwc-w8q6
VCID-pa1f-ehv3-9kb2	In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.	CVE-2024-1724 GHSA-4mh8-9689-38vr

Vulnerability

Summary

Aliases

VCID-4g5y-gcrx-d7ad

In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.

CVE-2024-29069
GHSA-69p6-gp5x-j269

VCID-awda-tuhp-d3gm

In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular files (such as pipes or sockets etc). Various file entries within the snap squashfs image (such as icons etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained non-regular files at these paths could then cause snapd to block indefinitely trying to read from such files and cause a denial of service.

CVE-2024-29068
GHSA-64jh-cjwc-w8q6

VCID-pa1f-ehv3-9kb2

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.

CVE-2024-1724
GHSA-4mh8-9689-38vr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T07:43:56.382566+00:00	GithubOSV Importer	Fixing	VCID-pa1f-ehv3-9kb2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-4mh8-9689-38vr/GHSA-4mh8-9689-38vr.json	38.6.0
2026-06-12T07:43:46.889837+00:00	GithubOSV Importer	Fixing	VCID-awda-tuhp-d3gm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-64jh-cjwc-w8q6/GHSA-64jh-cjwc-w8q6.json	38.6.0
2026-06-12T07:43:41.545498+00:00	GithubOSV Importer	Fixing	VCID-4g5y-gcrx-d7ad	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-69p6-gp5x-j269/GHSA-69p6-gp5x-j269.json	38.6.0