CVE-2024-1149

Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:snowsoftware:snow_inventory_agent::::::::
	cpe:2.3:a:snowsoftware:snow_inventory_agent::::::::
	cpe:2.3:a:snowsoftware:snow_inventory_agent:6.12.0:::::::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

15 Feb 2024, 17:52

Type	Values Removed	Values Added
First Time		Snowsoftware Microsoft windows Snowsoftware snow Inventory Agent Apple Apple macos Microsoft Linux linux Kernel Linux
CWE		CWE-347
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK -~~	() https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK - Vendor Advisory
CPE		cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:a:snowsoftware:snow_inventory_agent:::::::: cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:snowsoftware:snow_inventory_agent:6.12.0:::::::* cpe:2.3:o:apple:macos:-:::::::*

08 Feb 2024, 13:44

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-08 13:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-1149

Mitre link : CVE-2024-1149

CVE.ORG link : CVE-2024-1149

JSON object : View

Products Affected

linux

linux_kernel

microsoft

windows

apple

macos

snowsoftware

snow_inventory_agent

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2024-1149", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security@snowsoftware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-02-08T13:15:09.147", "references": [{"url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK", "tags": ["Vendor Advisory"], "source": "security@snowsoftware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}, {"type": "Secondary", "source": "security@snowsoftware.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n"}, {"lang": "es", "value": "Verificaci\u00f3n incorrecta de la vulnerabilidad de firma criptogr\u00e1fica en Snow Software Inventory Agent en MacOS, Snow Software Inventory Agent en Windows y Snow Software Inventory Agent en Linux permite la manipulaci\u00f3n de archivos a trav\u00e9s de paquetes de actualizaci\u00f3n Snow. Este problema afecta a Inventory Agent: hasta 6.12.0; Agente de Inventario: hasta 6.14.5; Agente de Inventario: hasta 6.7.2."}], "lastModified": "2024-02-15T17:52:08.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E82E3DB3-2CBC-44BB-A553-682431C08AF4", "versionEndExcluding": "6.7.2"}, {"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C9FF448-B8FA-4A84-802C-370D5D902E2A", "versionEndExcluding": "6.14.5", "versionStartIncluding": "6.14.0"}, {"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:6.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7B7E019-F9A5-4CF5-9C4D-B56119AF80CF"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@snowsoftware.com"}