CVE-2024-6388

Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon, before version 1.12, leaks the Pro token to unprivileged users by passing the token as an argument in plaintext.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.5 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944	Issue Tracking
https://github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24	Issue Tracking Patch
https://www.cve.org/CVERecord?id=CVE-2024-6388	Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944	Issue Tracking
https://github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24	Issue Tracking Patch
https://www.cve.org/CVERecord?id=CVE-2024-6388	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:canonical:ubuntu_advantage_desktop_daemon:*:*:*:*:*:*:*:*

History

27 Aug 2025, 16:18

Type	Values Removed	Values Added
First Time		Canonical ubuntu Advantage Desktop Daemon Canonical
CPE		cpe:2.3:a:canonical:ubuntu_advantage_desktop_daemon::::::::
CWE		CWE-319
References	~~() https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944 -~~	() https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944 - Issue Tracking
References	~~() https://github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24 -~~	() https://github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24 - Issue Tracking, Patch
References	~~() https://www.cve.org/CVERecord?id=CVE-2024-6388 -~~	() https://www.cve.org/CVERecord?id=CVE-2024-6388 - Third Party Advisory

Information

Published : 2024-06-27 16:15

Updated : 2025-08-27 16:18

NVD link : CVE-2024-6388

Mitre link : CVE-2024-6388

CVE.ORG link : CVE-2024-6388

JSON object : View

Products Affected

canonical

ubuntu_advantage_desktop_daemon

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2024-6388", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@ubuntu.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-06-27T16:15:12.110", "references": [{"url": "https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944", "tags": ["Issue Tracking"], "source": "security@ubuntu.com"}, {"url": "https://github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24", "tags": ["Issue Tracking", "Patch"], "source": "security@ubuntu.com"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-6388", "tags": ["Third Party Advisory"], "source": "security@ubuntu.com"}, {"url": "https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2068944", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/canonical/ubuntu-advantage-desktop-daemon/pull/24", "tags": ["Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-6388", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@ubuntu.com", "description": [{"lang": "en", "value": "CWE-497"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon, before version 1.12, leaks the Pro token to unprivileged users by passing the token as an argument in plaintext."}, {"lang": "es", "value": "Marco Trevisan descubri\u00f3 que Ubuntu Advantage Desktop Daemon, anterior a la versi\u00f3n 1.12, filtra el token Pro a usuarios sin privilegios al pasar el token como argumento en texto plano."}], "lastModified": "2025-08-27T16:18:23.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ubuntu_advantage_desktop_daemon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95FDB20A-9355-43DE-B2E5-512752E8E279", "versionEndExcluding": "1.12"}], "operator": "OR"}]}], "sourceIdentifier": "security@ubuntu.com"}