CVE-2024-1150 - OpenCVE

Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Opengroup	Unix
Snowsoftware	Snow Inventory Agent

Configuration 1 [-]

AND

cpe:2.3:a:snowsoftware:snow_inventory_agent:*:*:*:*:*:*:*:*

cpe:2.3:o:opengroup:unix:-:*:*:*:*:*:*:*

References

Link	Resource
https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Snow

Published: 2024-02-08T13:06:16.747Z

Updated: 2024-06-04T18:01:07.970Z

Reserved: 2024-02-01T09:47:52.460Z

Link: CVE-2024-1150

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-02-08T13:15:09.320

Modified: 2024-02-15T17:42:08.113

Link: CVE-2024-1150

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1150", "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "state": "PUBLISHED", "assignerShortName": "Snow", "dateReserved": "2024-02-01T09:47:52.460Z", "datePublished": "2024-02-08T13:06:16.747Z", "dateUpdated": "2024-06-04T18:01:07.970Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Unix"], "product": "Inventory Agent", "vendor": "Snow Software", "versions": [{"lessThanOrEqual": "7.3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2024-02-08T12:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.<p>This issue affects Inventory Agent: through 7.3.1.</p>"}], "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.\n\n"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "shortName": "Snow", "dateUpdated": "2024-02-08T13:06:16.747Z"}, "references": [{"url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper validation of update packages", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T14:56:07.795534Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:01:07.970Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AEB14AE-54A3-47EA-88AD-5D4C05310F0E", "versionEndExcluding": "7.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:opengroup:unix:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A90CB3A-9BE7-475C-9E75-6ECAD2106302", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.\n\n"}, {"lang": "es", "value": "La verificaci\u00f3n incorrecta de la vulnerabilidad de la firma criptogr\u00e1fica en Snow Software Inventory Agent en Unix permite la manipulaci\u00f3n de archivos a trav\u00e9s de los paquetes de actualizaci\u00f3n de Snow. Este problema afecta al Inventory Agent: hasta 7.3.1."}], "id": "CVE-2024-1150", "lastModified": "2024-02-15T17:42:08.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security@snowsoftware.com", "type": "Secondary"}]}, "published": "2024-02-08T13:15:09.320", "references": [{"source": "security@snowsoftware.com", "tags": ["Vendor Advisory"], "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"}], "sourceIdentifier": "security@snowsoftware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security@snowsoftware.com", "type": "Secondary"}]}