Impact
qSnapper improperly cached authentication states between different polkit methods. The flaw allowed a local user who could delete snapshots to use the otherwise unauthorized restore‑from‑snapshot functionality, effectively bypassing intended authorization checks. The vulnerability falls under CWE‑863, which concerns authorization errors. Based on the description, it is inferred that a local attacker who can delete snapshots can use the restore‑from‑snapshot function, an operation for which they lack explicit permission, thereby bypassing intended authorization checks.
Affected Systems
All customers running presire:qSnapper versions prior to 1.3.3 are affected. The unpatched code path exists in releases before 1.3.3, which users should upgrade to the latest version to eliminate the issue.
Risk and Exploitability
The CVSS score of 8.4 indicates a high severity flaw. The EPSS score is <1%, indicating a very low but non‑zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local: an attacker must be able to execute user‑level code or have permission to delete snapshots, then invoke the restore capability, which will consult the stale authentication cache and incorrectly allow the operation.
OpenCVE Enrichment