VYPR
Get started
← All advisories
Low severityNVD Advisory· Published Dec 5, 2024· Updated Mar 18, 2025

CVE-2024-6156

CVE-2024-6156

Description

Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/canonical/lxdGo
< 0.0.0-20240708073652-5a492a3f00360.0.0-20240708073652-5a492a3f0036

Affected products

1

Patches

1
92468bb60f4f

lxd: Update `allowProjectResourceList` to use new auth utils.

https://github.com/canonical/lxdMark LaingJul 5, 2024via ghsa
commit
1 file changed · +12 32
  • lxd/daemon.go+12 32 modified
    @@ -310,52 +310,32 @@ func allowProjectResourceList(d *Daemon, r *http.Request) response.Response {
 		return response.Forbidden(nil)
 	}
 
-	isRoot, err := auth.IsRootUserFromCtx(r.Context())
+	isServerAdmin, err := auth.IsServerAdmin(r.Context(), d.identityCache)
 	if err != nil {
 		return response.InternalError(fmt.Errorf("Failed to determine caller privilege: %w", err))
 	}
 
 	// A root user can list resources in any project.
-	if isRoot {
+	if isServerAdmin {
 		return response.EmptySyncResponse
 	}
 
-	authenticationMethod, err := auth.GetAuthenticationMethodFromCtx(r.Context())
+	id, err := auth.GetIdentityFromCtx(r.Context(), d.identityCache)
 	if err != nil {
-		return response.InternalError(fmt.Errorf("Failed to determine caller authentication method: %w", err))
+		return response.InternalError(fmt.Errorf("Failed to determine caller identity: %w", err))
 	}
 
-	// OIDC authenticated clients are governed by fine-grained auth. They can call the endpoint but may see an empty list.
-	if authenticationMethod == api.AuthenticationMethodOIDC {
-		return response.EmptySyncResponse
-	}
-
-	username, err := auth.GetUsernameFromCtx(r.Context())
-	if err != nil {
-		return response.InternalError(fmt.Errorf("Failed to determine caller username: %w", err))
-	}
-
-	id, err := d.identityCache.Get(authenticationMethod, username)
-	if err != nil {
-		if authenticationMethod == auth.AuthenticationMethodPKI && api.StatusErrorCheck(err, http.StatusNotFound) {
-			// PKI user is implicitly trusted if they are not in the identity cache, since `core.trust_ca_certificates` is true.
-			return response.EmptySyncResponse
-		}
-
-		return response.InternalError(fmt.Errorf("Failed loading certificate for %q: %w", username, err))
-	}
-
-	isRestricted, err := identity.IsRestrictedIdentityType(id.IdentityType)
-	if err != nil {
-		return response.InternalError(fmt.Errorf("Failed to check restricted status of identity: %w", err))
-	}
-
-	// Unrestricted TLS clients can list resources in any project.
-	if !isRestricted {
+	switch id.IdentityType {
+	case api.IdentityTypeOIDCClient:
+		// OIDC authenticated clients are governed by fine-grained auth. They can call the endpoint but may see an empty list.
 		return response.EmptySyncResponse
+	case api.IdentityTypeCertificateClientRestricted:
+		// A restricted client may be able to call the endpoint, continue.
+	default:
+		// No other identity types may list resources (e.g. metrics certificates).
+		return response.Forbidden(nil)
 	}
 
-	// We now have a restricted TLS certificate.
 	// all-projects requests are not allowed
 	if shared.IsTrue(request.QueryParam(r, "all-projects")) {
 		return response.Forbidden(fmt.Errorf("Certificate is restricted"))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.