Pebble
CVE-2024-3250
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (ubuntu) · only source for this CVE.
CVSS VectorVendor: ubuntu
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.
AnalysisAI
It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.
Technical ContextAI
This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4. Affected products include: Canonical Pebble.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and restrict file/resource permissions, apply principle of least privilege.
Pebble before 2.6.4 allows remote attackers to trigger loss of blog-entry viewability via a crafted comment. Rated mediu
Open redirect vulnerability in Pebble before 2.6.4 allows remote attackers to redirect users to arbitrary web sites and
CRLF injection vulnerability in Pebble before 2.6.4 allows remote attackers to inject arbitrary HTTP headers and conduct
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today