CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-1149: Improper validation of update packages

7.8 CVSS

Description

Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.

Classification

CVE ID: CVE-2024-1149

CVSS Base Severity: HIGH

CVSS Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-347 Improper Verification of Cryptographic Signature

Affected Products

Vendor: Snow Software

Product: Inventory Agent

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.3% (scored less or equal to compared to others)

EPSS Date: 2025-06-13 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-1149
https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK

Timeline

2025-05-15 20:40:12 UTC
CVE

Improper validation of update packages