Search criteria
6 vulnerabilities found for aptdaemon by Canonical
CVE-2020-27349 (GCVE-0-2020-27349)
Vulnerability from nvd – Published: 2020-12-09 03:35 – Updated: 2024-09-16 18:50
VLAI?
Title
aptdaemon performed policykit permissions checks too late
Summary
Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | aptdaemon |
Affected:
1.1.1+bzr982-0ubuntu14 , < 1.1.1+bzr982-0ubuntu14.5
(custom)
Affected: 1.1.1+bzr982-0ubuntu19 , < 1.1.1+bzr982-0ubuntu19.5 (custom) Affected: 1.1.1+bzr982-0ubuntu32 , < 1.1.1+bzr982-0ubuntu32.3 (custom) Affected: 1.1.1+bzr982-0ubuntu34 , < 1.1.1+bzr982-0ubuntu34.1 (custom) |
Date Public ?
2020-12-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aptdaemon",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.1+bzr982-0ubuntu14.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu14",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu19.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu19",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu32.3",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu32",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu34.1",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse and Julian Andres Klode"
}
],
"datePublic": "2020-12-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-09T03:35:17.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
],
"discovery": "EXTERNAL"
},
"title": "aptdaemon performed policykit permissions checks too late",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-08T00:00:00.000Z",
"ID": "CVE-2020-27349",
"STATE": "PUBLIC",
"TITLE": "aptdaemon performed policykit permissions checks too late"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aptdaemon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu14",
"version_value": "1.1.1+bzr982-0ubuntu14.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu19",
"version_value": "1.1.1+bzr982-0ubuntu19.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu32",
"version_value": "1.1.1+bzr982-0ubuntu32.3"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu34",
"version_value": "1.1.1+bzr982-0ubuntu34.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse and Julian Andres Klode"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/usn/usn-4664-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27349",
"datePublished": "2020-12-09T03:35:17.337Z",
"dateReserved": "2020-10-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:50:26.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16128 (GCVE-0-2020-16128)
Vulnerability from nvd – Published: 2020-12-09 03:35 – Updated: 2024-09-16 16:24
VLAI?
Title
Aptdaemon error messages disclosed file existence to unprivileged users via dbus properties
Summary
The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.
Severity ?
CWE
- CWE-209 - Information Exposure Through an Error Message
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | aptdaemon |
Affected:
1.1.1+bzr982-0ubuntu14 , < 1.1.1+bzr982-0ubuntu14.5
(custom)
Affected: 1.1.1+bzr982-0ubuntu19 , < 1.1.1+bzr982-0ubuntu19.5 (custom) Affected: 1.1.1+bzr982-0ubuntu32 , < 1.1.1+bzr982-0ubuntu32.3 (custom) Affected: 1.1.1+bzr982-0ubuntu34 , < 1.1.1+bzr982-0ubuntu34.1 (custom) |
Date Public ?
2020-12-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aptdaemon",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.1+bzr982-0ubuntu14.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu14",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu19.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu19",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu32.3",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu32",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu34.1",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2020-12-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Information Exposure Through an Error Message",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-09T03:35:16.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
],
"discovery": "EXTERNAL"
},
"title": "Aptdaemon error messages disclosed file existence to unprivileged users via dbus properties",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-08T00:00:00.000Z",
"ID": "CVE-2020-16128",
"STATE": "PUBLIC",
"TITLE": "Aptdaemon error messages disclosed file existence to unprivileged users via dbus properties"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aptdaemon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu14",
"version_value": "1.1.1+bzr982-0ubuntu14.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu19",
"version_value": "1.1.1+bzr982-0ubuntu19.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu32",
"version_value": "1.1.1+bzr982-0ubuntu32.3"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu34",
"version_value": "1.1.1+bzr982-0ubuntu34.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Information Exposure Through an Error Message"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/usn/usn-4664-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-16128",
"datePublished": "2020-12-09T03:35:16.896Z",
"dateReserved": "2020-07-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:24:15.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15703 (GCVE-0-2020-15703)
Vulnerability from nvd – Published: 2020-10-31 03:45 – Updated: 2024-09-16 22:01
VLAI?
Title
aptdaemon allows unprivileged users to test for the presence of local files via the transaction Locale property
Summary
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.
Severity ?
4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Date Public ?
2020-09-24 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-4537-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aptdaemon",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.1+bzr982-0ubuntu32.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu14.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vaisha Bernard"
}
],
"datePublic": "2020-09-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-31T03:45:19.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-4537-1"
}
],
"source": {
"advisory": "https://ubuntu.com/security/notices/USN-4537-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1888235"
],
"discovery": "EXTERNAL"
},
"title": "aptdaemon allows unprivileged users to test for the presence of local files via the transaction Locale property",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-09-24T00:00:00.000Z",
"ID": "CVE-2020-15703",
"STATE": "PUBLIC",
"TITLE": "aptdaemon allows unprivileged users to test for the presence of local files via the transaction Locale property"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aptdaemon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.1.1+bzr982-0ubuntu32.2"
},
{
"version_affected": "\u003c",
"version_value": "1.1.1+bzr982-0ubuntu19.4"
},
{
"version_affected": "\u003c",
"version_value": "1.1.1+bzr982-0ubuntu14.4"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vaisha Bernard"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html",
"refsource": "MISC",
"url": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html"
},
{
"name": "https://ubuntu.com/security/notices/USN-4537-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-4537-1"
}
]
},
"source": {
"advisory": "https://ubuntu.com/security/notices/USN-4537-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1888235"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-15703",
"datePublished": "2020-10-31T03:45:19.526Z",
"dateReserved": "2020-07-14T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:01:51.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27349 (GCVE-0-2020-27349)
Vulnerability from cvelistv5 – Published: 2020-12-09 03:35 – Updated: 2024-09-16 18:50
VLAI?
Title
aptdaemon performed policykit permissions checks too late
Summary
Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | aptdaemon |
Affected:
1.1.1+bzr982-0ubuntu14 , < 1.1.1+bzr982-0ubuntu14.5
(custom)
Affected: 1.1.1+bzr982-0ubuntu19 , < 1.1.1+bzr982-0ubuntu19.5 (custom) Affected: 1.1.1+bzr982-0ubuntu32 , < 1.1.1+bzr982-0ubuntu32.3 (custom) Affected: 1.1.1+bzr982-0ubuntu34 , < 1.1.1+bzr982-0ubuntu34.1 (custom) |
Date Public ?
2020-12-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aptdaemon",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.1+bzr982-0ubuntu14.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu14",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu19.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu19",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu32.3",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu32",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu34.1",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse and Julian Andres Klode"
}
],
"datePublic": "2020-12-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-09T03:35:17.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
],
"discovery": "EXTERNAL"
},
"title": "aptdaemon performed policykit permissions checks too late",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-08T00:00:00.000Z",
"ID": "CVE-2020-27349",
"STATE": "PUBLIC",
"TITLE": "aptdaemon performed policykit permissions checks too late"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aptdaemon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu14",
"version_value": "1.1.1+bzr982-0ubuntu14.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu19",
"version_value": "1.1.1+bzr982-0ubuntu19.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu32",
"version_value": "1.1.1+bzr982-0ubuntu32.3"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu34",
"version_value": "1.1.1+bzr982-0ubuntu34.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse and Julian Andres Klode"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/usn/usn-4664-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1899193"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27349",
"datePublished": "2020-12-09T03:35:17.337Z",
"dateReserved": "2020-10-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:50:26.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16128 (GCVE-0-2020-16128)
Vulnerability from cvelistv5 – Published: 2020-12-09 03:35 – Updated: 2024-09-16 16:24
VLAI?
Title
Aptdaemon error messages disclosed file existence to unprivileged users via dbus properties
Summary
The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.
Severity ?
CWE
- CWE-209 - Information Exposure Through an Error Message
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | aptdaemon |
Affected:
1.1.1+bzr982-0ubuntu14 , < 1.1.1+bzr982-0ubuntu14.5
(custom)
Affected: 1.1.1+bzr982-0ubuntu19 , < 1.1.1+bzr982-0ubuntu19.5 (custom) Affected: 1.1.1+bzr982-0ubuntu32 , < 1.1.1+bzr982-0ubuntu32.3 (custom) Affected: 1.1.1+bzr982-0ubuntu34 , < 1.1.1+bzr982-0ubuntu34.1 (custom) |
Date Public ?
2020-12-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aptdaemon",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.1+bzr982-0ubuntu14.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu14",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu19.5",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu19",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu32.3",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu32",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu34.1",
"status": "affected",
"version": "1.1.1+bzr982-0ubuntu34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2020-12-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Information Exposure Through an Error Message",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-09T03:35:16.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
],
"discovery": "EXTERNAL"
},
"title": "Aptdaemon error messages disclosed file existence to unprivileged users via dbus properties",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-08T00:00:00.000Z",
"ID": "CVE-2020-16128",
"STATE": "PUBLIC",
"TITLE": "Aptdaemon error messages disclosed file existence to unprivileged users via dbus properties"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aptdaemon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu14",
"version_value": "1.1.1+bzr982-0ubuntu14.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu19",
"version_value": "1.1.1+bzr982-0ubuntu19.5"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu32",
"version_value": "1.1.1+bzr982-0ubuntu32.3"
},
{
"version_affected": "\u003c",
"version_name": "1.1.1+bzr982-0ubuntu34",
"version_value": "1.1.1+bzr982-0ubuntu34.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Information Exposure Through an Error Message"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/usn/usn-4664-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4664-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-16128",
"datePublished": "2020-12-09T03:35:16.896Z",
"dateReserved": "2020-07-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:24:15.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15703 (GCVE-0-2020-15703)
Vulnerability from cvelistv5 – Published: 2020-10-31 03:45 – Updated: 2024-09-16 22:01
VLAI?
Title
aptdaemon allows unprivileged users to test for the presence of local files via the transaction Locale property
Summary
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.
Severity ?
4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Date Public ?
2020-09-24 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-4537-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aptdaemon",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.1+bzr982-0ubuntu32.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.1.1+bzr982-0ubuntu14.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vaisha Bernard"
}
],
"datePublic": "2020-09-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-31T03:45:19.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-4537-1"
}
],
"source": {
"advisory": "https://ubuntu.com/security/notices/USN-4537-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1888235"
],
"discovery": "EXTERNAL"
},
"title": "aptdaemon allows unprivileged users to test for the presence of local files via the transaction Locale property",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-09-24T00:00:00.000Z",
"ID": "CVE-2020-15703",
"STATE": "PUBLIC",
"TITLE": "aptdaemon allows unprivileged users to test for the presence of local files via the transaction Locale property"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aptdaemon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.1.1+bzr982-0ubuntu32.2"
},
{
"version_affected": "\u003c",
"version_value": "1.1.1+bzr982-0ubuntu19.4"
},
{
"version_affected": "\u003c",
"version_value": "1.1.1+bzr982-0ubuntu14.4"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vaisha Bernard"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html",
"refsource": "MISC",
"url": "https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html"
},
{
"name": "https://ubuntu.com/security/notices/USN-4537-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-4537-1"
}
]
},
"source": {
"advisory": "https://ubuntu.com/security/notices/USN-4537-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1888235"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-15703",
"datePublished": "2020-10-31T03:45:19.526Z",
"dateReserved": "2020-07-14T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:01:51.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}