CVE-2026-3351

Опубликовано: 03 мар. 2026

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

Ссылки

https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1
Patch
https://github.com/canonical/lxd/pull/17738
Issue Tracking
Patch
https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r
Exploit
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:canonical:lxd:6.6:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

EPSS

Процентиль: 5%

0.0002

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-862

Связанные уязвимости

CVE-2026-3351

CVSS3: 4.3

ubuntu

26 дней назад

CVE-2026-3351

CVSS3: 4.3

debian

26 дней назад

Improper authorization in the API endpoint GET /1.0/certificates in Ca ...

GHSA-crmg-9m86-636r

github

25 дней назад

lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints

EPSS

Процентиль: 5%

0.0002

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-862