CVE-2024-1149 - Vulnerability Details - OpenCVE

Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Apple	Macos
Linux	Linux Kernel
Microsoft	Windows
Snowsoftware	Snow Inventory Agent

Configuration 1 [-]

AND

OR	cpe:2.3:a:snowsoftware:snow_inventory_agent::::::::
	cpe:2.3:a:snowsoftware:snow_inventory_agent::::::::
	cpe:2.3:a:snowsoftware:snow_inventory_agent:6.12.0:::::::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

References

Link	Providers
https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK

History

Thu, 15 May 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Snow

Published: 2024-02-08T13:01:03.806Z

Updated: 2025-05-15T19:40:41.899Z

Reserved: 2024-02-01T09:47:48.899Z

Link: CVE-2024-1149

Vulnrichment

Updated: 2024-08-01T18:26:30.511Z

NVD

Status : Modified

Published: 2024-02-08T13:15:09.147

Modified: 2024-11-21T08:49:54.630

Link: CVE-2024-1149

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1149", "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "state": "PUBLISHED", "assignerShortName": "Snow", "dateReserved": "2024-02-01T09:47:48.899Z", "datePublished": "2024-02-08T13:01:03.806Z", "dateUpdated": "2025-05-15T19:40:41.899Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["MacOS"], "product": "Inventory Agent", "vendor": "Snow Software", "versions": [{"lessThanOrEqual": "6.12.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Inventory Agent", "vendor": "Snow Software", "versions": [{"lessThanOrEqual": "6.14.5", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "Inventory Agent", "vendor": "Snow Software", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2024-02-08T12:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.<p>This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.</p>"}], "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "shortName": "Snow", "dateUpdated": "2024-02-08T13:01:03.806Z"}, "references": [{"url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper validation of update packages", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.511Z"}, "title": "CVE Program Container", "references": [{"url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T15:45:43.042291Z", "id": "CVE-2024-1149", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T19:40:41.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.511Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-08T15:45:43.042291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T15:45:44.570Z"}}], "cna": {"title": "Improper validation of update packages", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Snow Software", "product": "Inventory Agent", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "6.12.0"}], "platforms": ["MacOS"], "defaultStatus": "unaffected"}, {"vendor": "Snow Software", "product": "Inventory Agent", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "6.14.5"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "Snow Software", "product": "Inventory Agent", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "6.7.2"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "datePublic": "2024-02-08T12:00:00.000Z", "references": [{"url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n", "supportingMedia": [{"type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.<p>This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "shortName": "Snow", "dateUpdated": "2024-02-08T13:01:03.806Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1149", "state": "PUBLISHED", "dateUpdated": "2025-05-15T19:40:41.899Z", "dateReserved": "2024-02-01T09:47:48.899Z", "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "datePublished": "2024-02-08T13:01:03.806Z", "assignerShortName": "Snow"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "E82E3DB3-2CBC-44BB-A553-682431C08AF4", "versionEndExcluding": "6.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C9FF448-B8FA-4A84-802C-370D5D902E2A", "versionEndExcluding": "6.14.5", "versionStartIncluding": "6.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:snowsoftware:snow_inventory_agent:6.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7B7E019-F9A5-4CF5-9C4D-B56119AF80CF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n"}, {"lang": "es", "value": "Verificaci\u00f3n incorrecta de la vulnerabilidad de firma criptogr\u00e1fica en Snow Software Inventory Agent en MacOS, Snow Software Inventory Agent en Windows y Snow Software Inventory Agent en Linux permite la manipulaci\u00f3n de archivos a trav\u00e9s de paquetes de actualizaci\u00f3n Snow. Este problema afecta a Inventory Agent: hasta 6.12.0; Agente de Inventario: hasta 6.14.5; Agente de Inventario: hasta 6.7.2."}], "id": "CVE-2024-1149", "lastModified": "2024-11-21T08:49:54.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security@snowsoftware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-08T13:15:09.147", "references": [{"source": "security@snowsoftware.com", "tags": ["Vendor Advisory"], "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK"}], "sourceIdentifier": "security@snowsoftware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security@snowsoftware.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}