In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCanonical Lxd
APPCanonical4.12 – 5.0.65.21.0 – 5.21.46.0 – 6.7
Related vulnerabilities
Canonical LXD — privilege escalation przez niekompletną listę blokad VM
Canonical LXD: pominięcie ograniczeń projektu przy imporcie backupu
A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before...
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest t...
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read p...