CVE-2024-3250

Published: Apr 4, 2024Modified: Aug 26, 2025

6.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Exploitability: 2.0 / Impact: 4.0

Source: security@ubuntu.com (Secondary)

Description

It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.

Affected (3)

Products: Canonical: Pebble

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Pebble	Before 1.4.1
Canonical Pebble	From 1.4.2 to 1.7.3
Canonical Pebble	From 1.7.4 to 1.10.2

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://github.com/canonical/pebble/security/advisories/GHSA-4685-2x5r-65pj

Source: security@ubuntu.com

PatchVendor Advisory

https://www.cve.org/CVERecord?id=CVE-2024-3250

Source: security@ubuntu.com

Third Party Advisory

https://github.com/canonical/pebble/security/advisories/GHSA-4685-2x5r-65pj

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.cve.org/CVERecord?id=CVE-2024-3250

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.