Vulnerabilites related to canonical - snapd
Vulnerability from fkie_nvd
Published
2019-04-24 21:29
Modified
2024-11-21 04:21
Severity ?
Summary
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC2D8991-F30D-41F7-8C6C-7A6A3947FFDE",
"versionEndExcluding": "2.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
},
{
"lang": "es",
"value": "snap-confine, como se inclu\u00eda en snap antes de la versi\u00f3n 2.39, no proteg\u00eda contra condiciones de carrera en enlaces simb\u00f3licos al realizar el chdir() al directorio de trabajo actual del usuario que realiza la llamada, tambi\u00e9n conocido como \"cwd restore permission bypass\"."
}
],
"id": "CVE-2019-11503",
"lastModified": "2024-11-21T04:21:13.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-24T21:29:00.820",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-17 23:15
Modified
2024-11-21 06:31
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| canonical | ubuntu_linux | 21.10 | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90115CE1-12C4-4504-A1A2-9C118694C398",
"versionEndIncluding": "2.54.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AAE4D2D0-CEEB-416F-8BC5-A7987DF56190",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap\u0027s private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
},
{
"lang": "es",
"value": "Se presentaba una condici\u00f3n de carrera en snapd versi\u00f3n 2.54.2 en el binario snap-confine cuando era preparado un espacio de nombres de montaje privado para un snap. Esto pod\u00eda permitir a un atacante local alcanzar privilegios de root al montar su propio contenido dentro del espacio de nombres de montaje privado del snap y causar que snap-confine ejecutara c\u00f3digo arbitrario y por lo tanto obtuviera una escalada de privilegios. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1"
}
],
"id": "CVE-2021-44731",
"lastModified": "2024-11-21T06:31:28.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-17T23:15:07.473",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"source": "security@ubuntu.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"source": "security@ubuntu.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"source": "security@ubuntu.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"source": "security@ubuntu.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"source": "security@ubuntu.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-25 19:15
Modified
2024-11-21 08:51
Severity ?
6.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
In snapd versions prior to 2.62, when using AppArmor for enforcement of
sandbox permissions, snapd failed to restrict writes to the $HOME/bin
path. In Ubuntu, when this path exists, it is automatically added to
the users PATH. An attacker who could convince a user to install a
malicious snap which used the 'home' plug could use this vulnerability
to install arbitrary scripts into the users PATH which may then be run
by the user outside of the expected snap sandbox and hence allow them
to escape confinement.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 | Patch | |
| security@ubuntu.com | https://github.com/snapcore/snapd/pull/13689 | Issue Tracking, Patch | |
| security@ubuntu.com | https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/pull/13689 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ | Exploit, Technical Description, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4A95DA5-EB47-48AA-B9C6-EB6D1489E832",
"versionEndExcluding": "2.62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, when using AppArmor for enforcement of \nsandbox permissions, snapd failed to restrict writes to the $HOME/bin\npath. In Ubuntu, when this path exists, it is automatically added to\nthe users PATH. An attacker who could convince a user to install a\nmalicious snap which used the \u0027home\u0027 plug could use this vulnerability\nto install arbitrary scripts into the users PATH which may then be run\nby the user outside of the expected snap sandbox and hence allow them\nto escape confinement."
},
{
"lang": "es",
"value": "En versiones de snapd anteriores a la 2.62, cuando se usaba AppArmor para hacer cumplir los permisos de la zona de pruebas, snapd no pod\u00eda restringir las escrituras en la ruta $HOME/bin. En Ubuntu, cuando esta ruta existe, se agrega autom\u00e1ticamente al PATH del usuario. Un atacante que pudiera convencer a un usuario para que instalara un complemento malicioso que usara el complemento \"home\" podr\u00eda usar esta vulnerabilidad para instalar scripts arbitrarios en el PATH del usuario que luego el usuario podr\u00eda ejecutar fuera del entorno de pruebas esperado y, por lo tanto, permitirle escapar del encierro."
}
],
"id": "CVE-2024-1724",
"lastModified": "2024-11-21T08:51:10.117",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 3.7,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T19:15:09.913",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch"
],
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"source": "security@ubuntu.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/13689"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/13689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-17 23:15
Modified
2024-11-21 06:21
Severity ?
3.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 | Patch, Third Party Advisory | |
| security@ubuntu.com | https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca | Patch, Third Party Advisory | |
| security@ubuntu.com | https://ubuntu.com/security/notices/USN-5292-1 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/notices/USN-5292-1 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| canonical | ubuntu_linux | 21.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92201D07-90D7-445F-B474-85BFE8C31AAA",
"versionEndExcluding": "2.54.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AAE4D2D0-CEEB-416F-8BC5-A7987DF56190",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
},
{
"lang": "es",
"value": "snapd versiones 2.54.2 y anteriores, creaban directorios ~/snap en los directorios personales de usuarios sin especificar los permisos de s\u00f3lo propietario. Esto pod\u00eda permitir a un atacante local leer informaci\u00f3n que deber\u00eda ser privada. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1"
}
],
"id": "CVE-2021-3155",
"lastModified": "2024-11-21T06:21:00.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 1.4,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-17T23:15:07.337",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-17 23:15
Modified
2024-11-21 06:36
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| canonical | ubuntu_linux | 21.10 | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90115CE1-12C4-4504-A1A2-9C118694C398",
"versionEndIncluding": "2.54.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AAE4D2D0-CEEB-416F-8BC5-A7987DF56190",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
},
{
"lang": "es",
"value": "snapd versi\u00f3n 2.54.2, no lleva a cabo una comprobaci\u00f3n suficiente de la interfaz de contenido de snap y de las rutas de dise\u00f1o, resultando en una posibilidad de que los snaps inyecten reglas de pol\u00edtica de AppArmor arbitrarias por medio de declaraciones de interfaz de contenido y de dise\u00f1o mal formadas y, por tanto, escapen al confinamiento estricto de snap. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1"
}
],
"id": "CVE-2021-4120",
"lastModified": "2024-11-21T06:36:56.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-17T23:15:07.550",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"source": "security@ubuntu.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"source": "security@ubuntu.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-29 17:15
Modified
2024-11-21 04:58
Severity ?
7.3 (High) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://launchpad.net/bugs/1879530 | Third Party Advisory | |
| security@ubuntu.com | https://ubuntu.com/USN-4424-1 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.net/bugs/1879530 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/USN-4424-1 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 19.10 | |
| canonical | ubuntu_linux | 20.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9321445-62D8-41A0-895C-915C03F11405",
"versionEndExcluding": "2.45.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
},
{
"lang": "es",
"value": "cloud-init administrado por snapd en los dispositivos Ubuntu Core 16 y Ubuntu Core 18, se ejecut\u00f3 sin restricciones en cada arranque, que un atacante f\u00edsico podr\u00eda explotar mediante el dise\u00f1o de user-data/meta-data de cloud-init por medio de medios externos para llevar a cabo cambios arbitrarios en el dispositivo para omitir los mecanismos de seguridad previstos, como el cifrado de disco completo. Este problema no afect\u00f3 a los sistemas tradicionales de Ubuntu. Se corrigi\u00f3 en snapd versi\u00f3n 2.45.2, revisi\u00f3n 8539 y core versi\u00f3n 2.45.2, revisi\u00f3n 9659"
}
],
"id": "CVE-2020-11933",
"lastModified": "2024-11-21T04:58:56.003",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.8,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-29T17:15:12.857",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-23 16:29
Modified
2024-11-21 04:47
Severity ?
Summary
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://usn.ubuntu.com/3917-1/ | Third Party Advisory | |
| security@ubuntu.com | https://www.exploit-db.com/exploits/46594 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/3917-1/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/46594 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78800844-C3F6-4F5B-A6DA-CC06A731B0D8",
"versionEndExcluding": "2.37.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en los filtros seccomp de Canonical snapd anterior a la versi\u00f3n 2.37.4 permite un ajuste de modo estricto para introducir caracteres en un terminal en un host de 64 bits. Las reglas de seccomp se generaron para que coincidieran con los comandos ioctl (2) de 64 bits en una plataforma de 64 bits; sin embargo, el kernel de Linux solo utiliza los bits inferiores 32 para determinar qu\u00e9 comandos ioctl (2) ejecutar. Este problema afecta a: las versiones anteriores a 2.37.4 de Canonical snapd."
}
],
"id": "CVE-2019-7303",
"lastModified": "2024-11-21T04:47:57.920",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 1.5,
"impactScore": 3.7,
"source": "security@ubuntu.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-23T16:29:10.640",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3917-1/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46594"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3917-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46594"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-628"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-17 23:15
Modified
2024-11-21 06:31
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| canonical | ubuntu_linux | 21.10 | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90115CE1-12C4-4504-A1A2-9C118694C398",
"versionEndIncluding": "2.54.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AAE4D2D0-CEEB-416F-8BC5-A7987DF56190",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
},
{
"lang": "es",
"value": "snapd versi\u00f3n 2.54.2, no comprueba apropiadamente la ubicaci\u00f3n del binario snap-confine. Un atacante local que pueda enlazar este binario a otra ubicaci\u00f3n puede causar que snap-confine ejecute otros binarios arbitrarios y, por lo tanto, alcanzar una escalada de privilegios. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1"
}
],
"id": "CVE-2021-44730",
"lastModified": "2024-11-21T06:31:28.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-17T23:15:07.413",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"source": "security@ubuntu.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"source": "security@ubuntu.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"source": "security@ubuntu.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"source": "security@ubuntu.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-23 16:29
Modified
2024-11-21 04:47
Severity ?
Summary
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://usn.ubuntu.com/3887-1/ | Vendor Advisory | |
| security@ubuntu.com | https://www.exploit-db.com/exploits/46361 | Exploit, Third Party Advisory, VDB Entry | |
| security@ubuntu.com | https://www.exploit-db.com/exploits/46362 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/3887-1/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/46361 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/46362 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F483203C-2A76-48E0-B15E-1444F9FF61A2",
"versionEndExcluding": "2.37.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1."
},
{
"lang": "es",
"value": "El Canonical snapd hasta la versi\u00f3n 2.37.1 realiz\u00f3 incorrectamente la validaci\u00f3n del propietario del socket, permitiendo a un atacante ejecutar comandos arbitrarios como root. Este problema afecta a: Canonical snapd versiones anteriores a 2.37.1."
}
],
"id": "CVE-2019-7304",
"lastModified": "2024-11-21T04:47:58.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-23T16:29:10.797",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/3887-1/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46361"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/3887-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46362"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-25 20:15
Modified
2024-11-21 09:07
Severity ?
5.8 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H
6.6 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
6.6 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Summary
In snapd versions prior to 2.62, snapd failed to properly check the file
type when extracting a snap. The snap format is a squashfs file-system
image and so can contain files that are non-regular files (such as pipes
or sockets etc). Various file entries within the snap squashfs image
(such as icons etc) are directly read by snapd when it is extracted. An
attacker who could convince a user to install a malicious snap which
contained non-regular files at these paths could then cause snapd to block
indefinitely trying to read from such files and cause a denial of service.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4A95DA5-EB47-48AA-B9C6-EB6D1489E832",
"versionEndExcluding": "2.62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the file\ntype when extracting a snap. The snap format is a squashfs file-system\nimage and so can contain files that are non-regular files (such as pipes \nor sockets etc). Various file entries within the snap squashfs image\n(such as icons etc) are directly read by snapd when it is extracted. An \nattacker who could convince a user to install a malicious snap which\ncontained non-regular files at these paths could then cause snapd to block\nindefinitely trying to read from such files and cause a denial of service."
},
{
"lang": "es",
"value": "En versiones de snapd anteriores a la 2.62, snapd no pudo verificar correctamente el tipo de archivo al extraer un complemento. El formato snap es una imagen del sistema de archivos squashfs y, por lo tanto, puede contener archivos que no son archivos regulares (como tuber\u00edas o enchufes, etc.). Snapd lee directamente varias entradas de archivos dentro de la imagen de snap squashfs (como \u00edconos, etc.) cuando se extrae. Un atacante que pudiera convencer a un usuario de que instalara un complemento malicioso que contuviera archivos no regulares en estas rutas podr\u00eda provocar que snapd bloqueara indefinidamente el intento de leer dichos archivos y provocar una denegaci\u00f3n de servicio."
}
],
"id": "CVE-2024-29068",
"lastModified": "2024-11-21T09:07:29.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 5.2,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T20:15:04.280",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch"
],
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"source": "security@ubuntu.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-01 19:15
Modified
2024-11-21 07:39
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523 | Third Party Advisory | |
| security@ubuntu.com | https://github.com/snapcore/snapd/pull/12849 | Issue Tracking, Patch | |
| security@ubuntu.com | https://marc.info/?l=oss-security&m=167879021709955&w=2 | Exploit, Mailing List | |
| security@ubuntu.com | https://ubuntu.com/security/notices/USN-6125-1 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/pull/12849 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://marc.info/?l=oss-security&m=167879021709955&w=2 | Exploit, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/notices/USN-6125-1 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| canonical | ubuntu_linux | 22.04 | |
| canonical | ubuntu_linux | 22.10 | |
| canonical | ubuntu_linux | 23.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB4DC58F-3258-44BA-B2C2-228E98A40282",
"versionEndExcluding": "2.59.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "B3293E55-5506-4587-A318-D1734F781C09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "359012F1-2C63-415A-88B8-6726A87830DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.10:*:*:*:-:*:*:*",
"matchCriteriaId": "47842532-D2B6-44CB-ADE2-4AC8630A4D8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E702D7-F8C0-49BF-9FFB-883017076E98",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."
},
{
"lang": "es",
"value": "Utilizando la petici\u00f3n IOCTL de TIOCLINUX, un snap malicoso podr\u00eda inyectar contenido en la entrada del terminal de control, lo que podr\u00eda permitir que se ejecutaran comandos arbitrarios fuera del sandbox del snap despu\u00e9s de que \u00e9ste saliera. Los emuladores gr\u00e1ficos de terminal como xterm, gnome-terminal y otros no se ven afectados. Esto s\u00f3lo puede ser explotado cuando los snaps se ejecutan en una consola virtual. "
}
],
"id": "CVE-2023-1523",
"lastModified": "2024-11-21T07:39:21.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-01T19:15:42.707",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
},
{
"source": "security@ubuntu.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Mailing List"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-25 20:15
Modified
2024-11-21 09:07
Severity ?
4.8 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
In snapd versions prior to 2.62, snapd failed to properly check the
destination of symbolic links when extracting a snap. The snap format
is a squashfs file-system image and so can contain symbolic links and
other file types. Various file entries within the snap squashfs image
(such as icons and desktop files etc) are directly read by snapd when
it is extracted. An attacker who could convince a user to install a
malicious snap which contained symbolic links at these paths could then
cause snapd to write out the contents of the symbolic link destination
into a world-readable directory. This in-turn could allow an unprivileged
user to gain access to privileged information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://github.com/snapcore/snapd/pull/13682 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/pull/13682 | Issue Tracking, Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4A95DA5-EB47-48AA-B9C6-EB6D1489E832",
"versionEndExcluding": "2.62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."
},
{
"lang": "es",
"value": "En versiones de snapd anteriores a la 2.62, snapd no pod\u00eda verificar correctamente el destino de los enlaces simb\u00f3licos al extraer un snap. El formato snap es una imagen del sistema de archivos squashfs y, por lo tanto, puede contener enlaces simb\u00f3licos y otros tipos de archivos. snapd lee directamente varias entradas de archivos dentro de la imagen de snap squashfs (como \u00edconos y archivos de escritorio, etc.) cuando se extrae. Un atacante que pudiera convencer a un usuario de que instalara un complemento malicioso que contuviera enlaces simb\u00f3licos en estas rutas podr\u00eda hacer que snapd escribiera el contenido del destino del enlace simb\u00f3lico en un directorio legible por todo el mundo. Esto, a su vez, podr\u00eda permitir que un usuario sin privilegios obtenga acceso a informaci\u00f3n privilegiada."
}
],
"id": "CVE-2024-29069",
"lastModified": "2024-11-21T09:07:29.377",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 3.4,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T20:15:04.483",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-610"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-08 18:15
Modified
2024-11-21 07:19
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Race condition in snap-confine's must_mkdir_and_open_with_perms()
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328 | Third Party Advisory | |
| security@ubuntu.com | https://ubuntu.com/security/notices/USN-5753-1 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/notices/USN-5753-1 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | snapd | * | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| canonical | ubuntu_linux | 22.04 | |
| canonical | ubuntu_linux | 22.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD04E5D3-B033-4B01-A373-38188C2AB657",
"versionEndExcluding": "2.61.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "B3293E55-5506-4587-A318-D1734F781C09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "359012F1-2C63-415A-88B8-6726A87830DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.10:*:*:*:-:*:*:*",
"matchCriteriaId": "47842532-D2B6-44CB-ADE2-4AC8630A4D8C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms()"
},
{
"lang": "es",
"value": "Condici\u00f3n de ejecuci\u00f3n en must_mkdir_and_open_with_perms() de snap-confine"
}
],
"id": "CVE-2022-3328",
"lastModified": "2024-11-21T07:19:18.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-08T18:15:45.233",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-24 21:29
Modified
2024-11-21 04:21
Severity ?
Summary
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2019/04/25/7 | Third Party Advisory | |
| cve@mitre.org | https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2019/04/18/4 | Exploit, Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2019/04/25/7 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2019/04/18/4 | Exploit, Mailing List, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "102DFBEE-3825-4314-8577-DB0948C47E21",
"versionEndExcluding": "2.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
},
{
"lang": "es",
"value": "snap-confine, en snap antes de la versi\u00f3n 2.38, establece incorrectamente la propiedad de una aplicaci\u00f3n snap al uid y gid del usuario que realiza la primera llamada. Consecuentemente, ese usuario tiene un acceso no intencionado a un directorio /tmp privado."
}
],
"id": "CVE-2019-11502",
"lastModified": "2024-11-21T04:21:12.973",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-24T21:29:00.727",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2023-1523
Vulnerability from cvelistv5
Published
2023-09-01 18:41
Modified
2024-10-01 13:08
Severity ?
EPSS score ?
Summary
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ubuntu.com/security/notices/USN-6125-1 | vendor-advisory | |
| https://github.com/snapcore/snapd/pull/12849 | issue-tracking | |
| https://marc.info/?l=oss-security&m=167879021709955&w=2 | mailing-list | |
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523 | issue-tracking |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1523",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T13:08:37.894449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T13:08:45.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/snapcore/snapd/releases",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"status": "unaffected",
"version": "2.59.5"
}
]
}
],
"datePublic": "2023-05-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2023-09-01T18:41:47.820Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"tags": [
"mailing-list"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-1523",
"datePublished": "2023-09-01T18:41:47.820Z",
"dateReserved": "2023-03-20T17:41:17.600Z",
"dateUpdated": "2024-10-01T13:08:45.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3328
Vulnerability from cvelistv5
Published
2024-01-08 18:04
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
Race condition in snap-confine's must_mkdir_and_open_with_perms()
References
| ▼ | URL | Tags |
|---|---|---|
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328 | issue-tracking | |
| https://ubuntu.com/security/notices/USN-5753-1 | third-party-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "2.61.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qualys"
}
],
"descriptions": [
{
"lang": "en",
"value": "Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms()"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T18:04:10.534Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2022-3328",
"datePublished": "2024-01-08T18:04:10.534Z",
"dateReserved": "2022-09-27T00:03:34.151Z",
"dateUpdated": "2024-08-03T01:07:06.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11502
Vulnerability from cvelistv5
Published
2019-04-24 20:02
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2019/04/18/4 | x_refsource_MISC | |
| https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2019/04/25/7 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-25T17:06:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2019/04/18/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"name": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11502",
"datePublished": "2019-04-24T20:02:32",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11934
Vulnerability from cvelistv5
Published
2020-07-29 16:25
Modified
2024-09-17 04:04
Severity ?
EPSS score ?
Summary
It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ubuntu.com/USN-4424-1 | x_refsource_CONFIRM | |
| https://launchpad.net/bugs/1880085 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.net/bugs/1880085"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"changes": [
{
"at": "2.45.1+18.04.2",
"status": "unaffected"
},
{
"at": "2.45.1+20.04.2",
"status": "unaffected"
}
],
"lessThan": "2.45.1ubuntu0.2",
"status": "affected",
"version": "2.45.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Henstridge"
}
],
"datePublic": "2020-05-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sandbox escape vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:26",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.net/bugs/1880085"
}
],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1880085"
],
"discovery": "INTERNAL"
},
"title": "Sandbox escape vulnerability via snapctl user-open (xdg-open)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-05-22T05:55:00.000Z",
"ID": "CVE-2020-11934",
"STATE": "PUBLIC",
"TITLE": "Sandbox escape vulnerability via snapctl user-open (xdg-open)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1ubuntu0.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1+18.04.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1+20.04.2"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "James Henstridge"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sandbox escape vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/USN-4424-1",
"refsource": "CONFIRM",
"url": "https://ubuntu.com/USN-4424-1"
},
{
"name": "https://launchpad.net/bugs/1880085",
"refsource": "CONFIRM",
"url": "https://launchpad.net/bugs/1880085"
}
]
},
"solution": [],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1880085"
],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11934",
"datePublished": "2020-07-29T16:25:26.118479Z",
"dateReserved": "2020-04-20T00:00:00",
"dateUpdated": "2024-09-17T04:04:04.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3155
Vulnerability from cvelistv5
Published
2022-02-17 22:15
Modified
2024-08-03 16:45
Severity ?
EPSS score ?
Summary
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://ubuntu.com/security/notices/USN-5292-1 | x_refsource_MISC | |
| https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 | x_refsource_MISC | |
| https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Troup"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-17T22:15:16",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
],
"source": {
"discovery": "USER"
},
"title": "snapd created ~/snap with too-wide permissions",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-3155",
"STATE": "PUBLIC",
"TITLE": "snapd created ~/snap with too-wide permissions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "James Troup"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"name": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-3155",
"datePublished": "2022-02-17T22:15:16",
"dateReserved": "2021-01-15T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44731
Vulnerability from cvelistv5
Published
2022-02-17 00:00
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:12.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"name": "[oss-security] 20221130 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"name": "20221208 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Qualys Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap\u0027s private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-09T00:00:00",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"name": "[oss-security] 20221130 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"name": "20221208 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "snapd could be made to escalate privileges and run programs as administrator",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-44731",
"datePublished": "2022-02-17T00:00:00",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:12.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-7304
Vulnerability from cvelistv5
Published
2019-04-23 15:57
Modified
2024-09-16 18:38
Severity ?
EPSS score ?
Summary
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://usn.ubuntu.com/3887-1/ | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46361 | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46362 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:46:45.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3887-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46361"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46362"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.37.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chris Moberly"
}
],
"datePublic": "2019-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Type confusion when performing access control check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-23T15:57:32",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/3887-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46361"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46362"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/snapd/+bug/1813365"
],
"discovery": "EXTERNAL"
},
"title": "Local privilege escalation via snapd socket",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Dirty Sock",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2019-02-12T08:00:00.000Z",
"ID": "CVE-2019-7304",
"STATE": "PUBLIC",
"TITLE": "Local privilege escalation via snapd socket"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.37.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chris Moberly"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Type confusion when performing access control check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/3887-1/",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/3887-1/"
},
{
"name": "https://www.exploit-db.com/exploits/46361",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46361"
},
{
"name": "https://www.exploit-db.com/exploits/46362",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46362"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/snapd/+bug/1813365"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-7304",
"datePublished": "2019-04-23T15:57:32.649432Z",
"dateReserved": "2019-02-01T00:00:00",
"dateUpdated": "2024-09-16T18:38:22.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-7303
Vulnerability from cvelistv5
Published
2019-04-23 15:57
Modified
2024-09-17 01:46
Severity ?
EPSS score ?
Summary
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://usn.ubuntu.com/3917-1/ | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46594 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:46:45.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3917-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46594"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.37.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jann Horn"
}
],
"datePublic": "2019-03-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-628",
"description": "CWE-628",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-23T15:57:32",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/3917-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46594"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/snapd/+bug/1812973"
],
"discovery": "EXTERNAL"
},
"title": "Snapd seccomp filter TIOCSTI ioctl bypass",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2019-03-21T07:00:00.000Z",
"ID": "CVE-2019-7303",
"STATE": "PUBLIC",
"TITLE": "Snapd seccomp filter TIOCSTI ioctl bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.37.4"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jann Horn"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-628"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/3917-1/",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/3917-1/"
},
{
"name": "https://www.exploit-db.com/exploits/46594",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46594"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/snapd/+bug/1812973"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-7303",
"datePublished": "2019-04-23T15:57:32.592636Z",
"dateReserved": "2019-02-01T00:00:00",
"dateUpdated": "2024-09-17T01:46:16.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11503
Vulnerability from cvelistv5
Published
2019-04-24 20:02
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2019/04/18/4 | x_refsource_MISC | |
| https://github.com/snapcore/snapd/pull/6642 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2019/04/25/7 | mailing-list, x_refsource_MLIST | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-13T02:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11503",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2019/04/18/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"name": "https://github.com/snapcore/snapd/pull/6642",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11503",
"datePublished": "2019-04-24T20:02:44",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-4120
Vulnerability from cvelistv5
Published
2022-02-17 22:15
Modified
2024-08-03 17:16
Severity ?
EPSS score ?
Summary
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://ubuntu.com/security/notices/USN-5292-1 | x_refsource_MISC | |
| https://bugs.launchpad.net/snapd/+bug/1949368 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/18/2 | mailing-list, x_refsource_MLIST | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ian Johnson"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-20T02:06:22",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
],
"source": {
"defect": [
"https://launchpad.net/bugs/1949368"
],
"discovery": "INTERNAL"
},
"title": "snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-4120",
"STATE": "PUBLIC",
"TITLE": "snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ian Johnson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "https://bugs.launchpad.net/snapd/+bug/1949368",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
]
},
"source": {
"defect": [
"https://launchpad.net/bugs/1949368"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-4120",
"datePublished": "2022-02-17T22:15:21",
"dateReserved": "2021-12-14T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1724
Vulnerability from cvelistv5
Published
2024-07-25 19:05
Modified
2024-08-01 18:48
Severity ?
EPSS score ?
Summary
In snapd versions prior to 2.62, when using AppArmor for enforcement of
sandbox permissions, snapd failed to restrict writes to the $HOME/bin
path. In Ubuntu, when this path exists, it is automatically added to
the users PATH. An attacker who could convince a user to install a
malicious snap which used the 'home' plug could use this vulnerability
to install arbitrary scripts into the users PATH which may then be run
by the user outside of the expected snap sandbox and hence allow them
to escape confinement.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1724",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T19:25:43.941220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:28:23.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"tags": [
"x_transferred"
],
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13689"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Generated AppArmor policy"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snap",
"programFiles": [
"interfaces/builtin/home.go"
],
"programRoutines": [
{
"name": "homeConnectedPlugAppArmor"
}
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Neil McPhail"
}
],
"datePublic": "2024-03-13T08:27:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, when using AppArmor for enforcement of \nsandbox permissions, snapd failed to restrict writes to the $HOME/bin\npath. In Ubuntu, when this path exists, it is automatically added to\nthe users PATH. An attacker who could convince a user to install a\nmalicious snap which used the \u0027home\u0027 plug could use this vulnerability\nto install arbitrary scripts into the users PATH which may then be run\nby the user outside of the expected snap sandbox and hence allow them\nto escape confinement."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:13:07.140Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"url": "https://github.com/snapcore/snapd/pull/13689"
}
],
"title": "snapd allows $HOME/bin symlink"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-1724",
"datePublished": "2024-07-25T19:05:23.299Z",
"dateReserved": "2024-02-21T19:46:47.236Z",
"dateUpdated": "2024-08-01T18:48:21.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44730
Vulnerability from cvelistv5
Published
2022-02-17 22:15
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://ubuntu.com/security/notices/USN-5292-1 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/18/2 | mailing-list, x_refsource_MLIST | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/ | vendor-advisory, x_refsource_FEDORA | |
| https://www.debian.org/security/2022/dsa-5080 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.openwall.com/lists/oss-security/2022/02/23/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:12.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Qualys Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-23T12:06:05",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "snapd could be made to escalate privileges and run programs as administrator",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-44730",
"STATE": "PUBLIC",
"TITLE": "snapd could be made to escalate privileges and run programs as administrator"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Qualys Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-44730",
"datePublished": "2022-02-17T22:15:18",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:12.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29068
Vulnerability from cvelistv5
Published
2024-07-25 19:28
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
In snapd versions prior to 2.62, snapd failed to properly check the file
type when extracting a snap. The snap format is a squashfs file-system
image and so can contain files that are non-regular files (such as pipes
or sockets etc). Various file entries within the snap squashfs image
(such as icons etc) are directly read by snapd when it is extracted. An
attacker who could convince a user to install a malicious snap which
contained non-regular files at these paths could then cause snapd to block
indefinitely trying to read from such files and cause a denial of service.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T20:21:23.846363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T20:21:43.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"squashfs"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"programFiles": [
"snap/container.go",
"snap/snapdir/snapdir.go",
"snap/squashfs/squashfs.go"
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zeyad Gouda"
}
],
"datePublic": "2024-03-14T13:47:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the file\ntype when extracting a snap. The snap format is a squashfs file-system\nimage and so can contain files that are non-regular files (such as pipes \nor sockets etc). Various file entries within the snap squashfs image\n(such as icons etc) are directly read by snapd when it is extracted. An \nattacker who could convince a user to install a malicious snap which\ncontained non-regular files at these paths could then cause snapd to block\nindefinitely trying to read from such files and cause a denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:28:05.480Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "snapd non-regular file indefinite blocking read"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-29068",
"datePublished": "2024-07-25T19:28:05.480Z",
"dateReserved": "2024-03-14T23:09:12.771Z",
"dateUpdated": "2024-08-02T01:03:51.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11933
Vulnerability from cvelistv5
Published
2020-07-29 16:25
Modified
2024-09-17 00:40
Severity ?
EPSS score ?
Summary
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.net/bugs/1879530 | x_refsource_CONFIRM | |
| https://ubuntu.com/USN-4424-1 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.45.2, revision 8539",
"status": "affected",
"version": "2.45.2",
"versionType": "custom"
}
]
},
{
"product": "core",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.45.2, revision 9659",
"status": "affected",
"version": "2.45.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ian Johnson"
}
],
"datePublic": "2020-05-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:25",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1879530"
],
"discovery": "INTERNAL"
},
"title": "local snapd exploit through cloud-init",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-05-19T16:34:00.000Z",
"ID": "CVE-2020-11933",
"STATE": "PUBLIC",
"TITLE": "local snapd exploit through cloud-init"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.2",
"version_value": "2.45.2, revision 8539"
}
]
}
},
{
"product_name": "core",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.2",
"version_value": "2.45.2, revision 9659"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Ian Johnson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/bugs/1879530",
"refsource": "CONFIRM",
"url": "https://launchpad.net/bugs/1879530"
},
{
"name": "https://ubuntu.com/USN-4424-1",
"refsource": "CONFIRM",
"url": "https://ubuntu.com/USN-4424-1"
}
]
},
"solution": [],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1879530"
],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11933",
"datePublished": "2020-07-29T16:25:25.690070Z",
"dateReserved": "2020-04-20T00:00:00",
"dateUpdated": "2024-09-17T00:40:28.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29069
Vulnerability from cvelistv5
Published
2024-07-25 19:39
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
In snapd versions prior to 2.62, snapd failed to properly check the
destination of symbolic links when extracting a snap. The snap format
is a squashfs file-system image and so can contain symbolic links and
other file types. Various file entries within the snap squashfs image
(such as icons and desktop files etc) are directly read by snapd when
it is extracted. An attacker who could convince a user to install a
malicious snap which contained symbolic links at these paths could then
cause snapd to write out the contents of the symbolic link destination
into a world-readable directory. This in-turn could allow an unprivileged
user to gain access to privileged information.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:27:42.541639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:27:49.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"squashfs"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"programFiles": [
"snap/container.go",
"snap/snapdir/snapdir.go",
"snap/squashfs/squashfs.go"
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zeyad Gouda"
}
],
"datePublic": "2024-03-14T13:47:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:39:41.050Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "snapd will follow archived symlinks when unpacking a filesystem"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-29069",
"datePublished": "2024-07-25T19:39:41.050Z",
"dateReserved": "2024-03-14T23:09:12.771Z",
"dateUpdated": "2024-08-02T01:03:51.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}