CVE-2024-3250

Name of the Vulnerable Software and Affected Versions Pebble versions prior to 1.10.2 Pebble versions 1.1.1, 1.4.2, and 1.7.4 are fixed versions, but all versions prior to 1.10.2 are considered vulnerable.

Description The issue allows unprivileged local users to read files with root-equivalent permissions when Pebble is running as root. This is due to the read-file API and the associated pebble pull command allowing access from any user, instead of just admin. If an attacker gains local access to the container host, they could hit the Pebble GET /v1/files?action=read API and read any file in the workload container, including sensitive information such as ssh keys or database passwords.

Recommendations For Pebble versions prior to 1.10.2, update to version 1.10.2 or later to resolve the issue. For Pebble versions prior to 1.1.1, 1.4.2, and 1.7.4, update to the respective fixed version to resolve the issue. As a temporary workaround, consider restricting access to the Pebble GET /v1/files?action=read API to minimize the risk of exploitation.