Search criteria
34 vulnerabilities found for snapd by Canonical
CVE-2024-29069 (GCVE-0-2024-29069)
Vulnerability from nvd – Published: 2024-07-25 19:39 – Updated: 2024-08-02 01:03
VLAI?
Title
snapd will follow archived symlinks when unpacking a filesystem
Summary
In snapd versions prior to 2.62, snapd failed to properly check the
destination of symbolic links when extracting a snap. The snap format
is a squashfs file-system image and so can contain symbolic links and
other file types. Various file entries within the snap squashfs image
(such as icons and desktop files etc) are directly read by snapd when
it is extracted. An attacker who could convince a user to install a
malicious snap which contained symbolic links at these paths could then
cause snapd to write out the contents of the symbolic link destination
into a world-readable directory. This in-turn could allow an unprivileged
user to gain access to privileged information.
Severity ?
4.8 (Medium)
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
Credits
Zeyad Gouda
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:27:42.541639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:27:49.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"squashfs"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"programFiles": [
"snap/container.go",
"snap/snapdir/snapdir.go",
"snap/squashfs/squashfs.go"
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zeyad Gouda"
}
],
"datePublic": "2024-03-14T13:47:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:39:41.050Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "snapd will follow archived symlinks when unpacking a filesystem"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-29069",
"datePublished": "2024-07-25T19:39:41.050Z",
"dateReserved": "2024-03-14T23:09:12.771Z",
"dateUpdated": "2024-08-02T01:03:51.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29068 (GCVE-0-2024-29068)
Vulnerability from nvd – Published: 2024-07-25 19:28 – Updated: 2024-08-02 01:03
VLAI?
Title
snapd non-regular file indefinite blocking read
Summary
In snapd versions prior to 2.62, snapd failed to properly check the file
type when extracting a snap. The snap format is a squashfs file-system
image and so can contain files that are non-regular files (such as pipes
or sockets etc). Various file entries within the snap squashfs image
(such as icons etc) are directly read by snapd when it is extracted. An
attacker who could convince a user to install a malicious snap which
contained non-regular files at these paths could then cause snapd to block
indefinitely trying to read from such files and cause a denial of service.
Severity ?
5.8 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Credits
Zeyad Gouda
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T20:21:23.846363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T20:21:43.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"squashfs"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"programFiles": [
"snap/container.go",
"snap/snapdir/snapdir.go",
"snap/squashfs/squashfs.go"
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zeyad Gouda"
}
],
"datePublic": "2024-03-14T13:47:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the file\ntype when extracting a snap. The snap format is a squashfs file-system\nimage and so can contain files that are non-regular files (such as pipes \nor sockets etc). Various file entries within the snap squashfs image\n(such as icons etc) are directly read by snapd when it is extracted. An \nattacker who could convince a user to install a malicious snap which\ncontained non-regular files at these paths could then cause snapd to block\nindefinitely trying to read from such files and cause a denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:28:05.480Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "snapd non-regular file indefinite blocking read"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-29068",
"datePublished": "2024-07-25T19:28:05.480Z",
"dateReserved": "2024-03-14T23:09:12.771Z",
"dateUpdated": "2024-08-02T01:03:51.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1724 (GCVE-0-2024-1724)
Vulnerability from nvd – Published: 2024-07-25 19:05 – Updated: 2024-08-01 18:48
VLAI?
Title
snapd allows $HOME/bin symlink
Summary
In snapd versions prior to 2.62, when using AppArmor for enforcement of
sandbox permissions, snapd failed to restrict writes to the $HOME/bin
path. In Ubuntu, when this path exists, it is automatically added to
the users PATH. An attacker who could convince a user to install a
malicious snap which used the 'home' plug could use this vulnerability
to install arbitrary scripts into the users PATH which may then be run
by the user outside of the expected snap sandbox and hence allow them
to escape confinement.
Severity ?
6.3 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Credits
Neil McPhail
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1724",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T19:25:43.941220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:28:23.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"tags": [
"x_transferred"
],
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13689"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Generated AppArmor policy"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snap",
"programFiles": [
"interfaces/builtin/home.go"
],
"programRoutines": [
{
"name": "homeConnectedPlugAppArmor"
}
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Neil McPhail"
}
],
"datePublic": "2024-03-13T08:27:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, when using AppArmor for enforcement of \nsandbox permissions, snapd failed to restrict writes to the $HOME/bin\npath. In Ubuntu, when this path exists, it is automatically added to\nthe users PATH. An attacker who could convince a user to install a\nmalicious snap which used the \u0027home\u0027 plug could use this vulnerability\nto install arbitrary scripts into the users PATH which may then be run\nby the user outside of the expected snap sandbox and hence allow them\nto escape confinement."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:13:07.140Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"url": "https://github.com/snapcore/snapd/pull/13689"
}
],
"title": "snapd allows $HOME/bin symlink"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-1724",
"datePublished": "2024-07-25T19:05:23.299Z",
"dateReserved": "2024-02-21T19:46:47.236Z",
"dateUpdated": "2024-08-01T18:48:21.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27352 (GCVE-0-2020-27352)
Vulnerability from nvd – Published: 2024-06-21 20:06 – Updated: 2024-08-04 16:11
VLAI?
Summary
When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.
Severity ?
9.3 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
0 , < 2.48.3
(semver)
|
Credits
Gilad Reti
Nimrod Stoler
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "2.48.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-27352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T13:14:07.392127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T20:56:52.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1910456"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-4728-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "2.48.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilad Reti"
},
{
"lang": "en",
"type": "finder",
"value": "Nimrod Stoler"
}
],
"descriptions": [
{
"lang": "en",
"value": "When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T20:06:37.992Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1910456"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-4728-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27352",
"datePublished": "2024-06-21T20:06:37.992Z",
"dateReserved": "2020-10-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:11:36.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5138 (GCVE-0-2024-5138)
Vulnerability from nvd – Published: 2024-05-31 21:02 – Updated: 2024-09-06 19:48
VLAI?
Summary
The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.
Severity ?
8.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
0 , < 68ee9c6aa916ab87dbfd9a26030690f2cabf1e14
(custom)
|
Credits
Rory McNamara from Snyk Security Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/2065077"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-5138",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T19:03:04.672013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T19:48:49.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rory McNamara from Snyk Security Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar."
}
],
"providerMetadata": {
"dateUpdated": "2024-06-19T01:17:51.897Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/snapd/+bug/2065077"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-5138",
"datePublished": "2024-05-31T21:02:19.979Z",
"dateReserved": "2024-05-19T22:29:02.330Z",
"dateUpdated": "2024-09-06T19:48:49.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3328 (GCVE-0-2022-3328)
Vulnerability from nvd – Published: 2024-01-08 18:04 – Updated: 2025-06-03 14:35
VLAI?
Summary
Race condition in snap-confine's must_mkdir_and_open_with_perms()
Severity ?
7.8 (High)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
0 , < 2.61.1
(semver)
|
Credits
Qualys
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:08:36.326851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:35:04.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "2.61.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qualys"
}
],
"descriptions": [
{
"lang": "en",
"value": "Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms()"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T18:04:10.534Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2022-3328",
"datePublished": "2024-01-08T18:04:10.534Z",
"dateReserved": "2022-09-27T00:03:34.151Z",
"dateUpdated": "2025-06-03T14:35:04.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1523 (GCVE-0-2023-1523)
Vulnerability from nvd – Published: 2023-09-01 18:41 – Updated: 2024-10-01 13:08
VLAI?
Summary
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.
Severity ?
10 (Critical)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Unaffected:
2.59.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1523",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T13:08:37.894449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T13:08:45.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/snapcore/snapd/releases",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"status": "unaffected",
"version": "2.59.5"
}
]
}
],
"datePublic": "2023-05-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2023-09-01T18:41:47.820Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"tags": [
"mailing-list"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-1523",
"datePublished": "2023-09-01T18:41:47.820Z",
"dateReserved": "2023-03-20T17:41:17.600Z",
"dateUpdated": "2024-10-01T13:08:45.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4120 (GCVE-0-2021-4120)
Vulnerability from nvd – Published: 2022-02-17 22:15 – Updated: 2024-08-03 17:16
VLAI?
Title
snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths
Summary
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
8.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
Ian Johnson
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ian Johnson"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-20T02:06:22",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
],
"source": {
"defect": [
"https://launchpad.net/bugs/1949368"
],
"discovery": "INTERNAL"
},
"title": "snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-4120",
"STATE": "PUBLIC",
"TITLE": "snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ian Johnson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "https://bugs.launchpad.net/snapd/+bug/1949368",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
]
},
"source": {
"defect": [
"https://launchpad.net/bugs/1949368"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-4120",
"datePublished": "2022-02-17T22:15:21",
"dateReserved": "2021-12-14T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44731 (GCVE-0-2021-44731)
Vulnerability from nvd – Published: 2022-02-17 00:00 – Updated: 2024-08-04 04:32
VLAI?
Title
snapd could be made to escalate privileges and run programs as administrator
Summary
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
7.8 (High)
CWE
- CWE-362 - Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
Qualys Research Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:12.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"name": "[oss-security] 20221130 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"name": "20221208 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Qualys Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap\u0027s private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-09T00:00:00",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"name": "[oss-security] 20221130 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"name": "20221208 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "snapd could be made to escalate privileges and run programs as administrator",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-44731",
"datePublished": "2022-02-17T00:00:00",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:12.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44730 (GCVE-0-2021-44730)
Vulnerability from nvd – Published: 2022-02-17 22:15 – Updated: 2024-08-04 04:32
VLAI?
Title
snapd could be made to escalate privileges and run programs as administrator
Summary
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
7.8 (High)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
Qualys Research Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:12.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Qualys Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-23T12:06:05",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "snapd could be made to escalate privileges and run programs as administrator",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-44730",
"STATE": "PUBLIC",
"TITLE": "snapd could be made to escalate privileges and run programs as administrator"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Qualys Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-44730",
"datePublished": "2022-02-17T22:15:18",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:12.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3155 (GCVE-0-2021-3155)
Vulnerability from nvd – Published: 2022-02-17 22:15 – Updated: 2024-08-03 16:45
VLAI?
Title
snapd created ~/snap with too-wide permissions
Summary
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
James Troup
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Troup"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-17T22:15:16",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
],
"source": {
"discovery": "USER"
},
"title": "snapd created ~/snap with too-wide permissions",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-3155",
"STATE": "PUBLIC",
"TITLE": "snapd created ~/snap with too-wide permissions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "James Troup"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"name": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-3155",
"datePublished": "2022-02-17T22:15:16",
"dateReserved": "2021-01-15T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11934 (GCVE-0-2020-11934)
Vulnerability from nvd – Published: 2020-07-29 16:25 – Updated: 2024-09-17 04:04
VLAI?
Title
Sandbox escape vulnerability via snapctl user-open (xdg-open)
Summary
It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.
Severity ?
5.9 (Medium)
CWE
- Sandbox escape vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
James Henstridge
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.net/bugs/1880085"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"changes": [
{
"at": "2.45.1+18.04.2",
"status": "unaffected"
},
{
"at": "2.45.1+20.04.2",
"status": "unaffected"
}
],
"lessThan": "2.45.1ubuntu0.2",
"status": "affected",
"version": "2.45.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Henstridge"
}
],
"datePublic": "2020-05-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sandbox escape vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:26",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.net/bugs/1880085"
}
],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1880085"
],
"discovery": "INTERNAL"
},
"title": "Sandbox escape vulnerability via snapctl user-open (xdg-open)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-05-22T05:55:00.000Z",
"ID": "CVE-2020-11934",
"STATE": "PUBLIC",
"TITLE": "Sandbox escape vulnerability via snapctl user-open (xdg-open)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1ubuntu0.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1+18.04.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1+20.04.2"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "James Henstridge"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sandbox escape vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/USN-4424-1",
"refsource": "CONFIRM",
"url": "https://ubuntu.com/USN-4424-1"
},
{
"name": "https://launchpad.net/bugs/1880085",
"refsource": "CONFIRM",
"url": "https://launchpad.net/bugs/1880085"
}
]
},
"solution": [],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1880085"
],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11934",
"datePublished": "2020-07-29T16:25:26.118479Z",
"dateReserved": "2020-04-20T00:00:00",
"dateUpdated": "2024-09-17T04:04:04.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11933 (GCVE-0-2020-11933)
Vulnerability from nvd – Published: 2020-07-29 16:25 – Updated: 2024-09-17 00:40
VLAI?
Title
local snapd exploit through cloud-init
Summary
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.
Severity ?
7.3 (High)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Ian Johnson
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.45.2, revision 8539",
"status": "affected",
"version": "2.45.2",
"versionType": "custom"
}
]
},
{
"product": "core",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.45.2, revision 9659",
"status": "affected",
"version": "2.45.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ian Johnson"
}
],
"datePublic": "2020-05-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:25",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1879530"
],
"discovery": "INTERNAL"
},
"title": "local snapd exploit through cloud-init",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-05-19T16:34:00.000Z",
"ID": "CVE-2020-11933",
"STATE": "PUBLIC",
"TITLE": "local snapd exploit through cloud-init"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.2",
"version_value": "2.45.2, revision 8539"
}
]
}
},
{
"product_name": "core",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.2",
"version_value": "2.45.2, revision 9659"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Ian Johnson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/bugs/1879530",
"refsource": "CONFIRM",
"url": "https://launchpad.net/bugs/1879530"
},
{
"name": "https://ubuntu.com/USN-4424-1",
"refsource": "CONFIRM",
"url": "https://ubuntu.com/USN-4424-1"
}
]
},
"solution": [],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1879530"
],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11933",
"datePublished": "2020-07-29T16:25:25.690070Z",
"dateReserved": "2020-04-20T00:00:00",
"dateUpdated": "2024-09-17T00:40:28.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11503 (GCVE-0-2019-11503)
Vulnerability from nvd – Published: 2019-04-24 20:02 – Updated: 2024-08-04 22:55
VLAI?
Summary
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-13T02:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11503",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2019/04/18/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"name": "https://github.com/snapcore/snapd/pull/6642",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11503",
"datePublished": "2019-04-24T20:02:44",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11502 (GCVE-0-2019-11502)
Vulnerability from nvd – Published: 2019-04-24 20:02 – Updated: 2024-08-04 22:55
VLAI?
Summary
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-25T17:06:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2019/04/18/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"name": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11502",
"datePublished": "2019-04-24T20:02:32",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29069 (GCVE-0-2024-29069)
Vulnerability from cvelistv5 – Published: 2024-07-25 19:39 – Updated: 2024-08-02 01:03
VLAI?
Title
snapd will follow archived symlinks when unpacking a filesystem
Summary
In snapd versions prior to 2.62, snapd failed to properly check the
destination of symbolic links when extracting a snap. The snap format
is a squashfs file-system image and so can contain symbolic links and
other file types. Various file entries within the snap squashfs image
(such as icons and desktop files etc) are directly read by snapd when
it is extracted. An attacker who could convince a user to install a
malicious snap which contained symbolic links at these paths could then
cause snapd to write out the contents of the symbolic link destination
into a world-readable directory. This in-turn could allow an unprivileged
user to gain access to privileged information.
Severity ?
4.8 (Medium)
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
Credits
Zeyad Gouda
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:27:42.541639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:27:49.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"squashfs"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"programFiles": [
"snap/container.go",
"snap/snapdir/snapdir.go",
"snap/squashfs/squashfs.go"
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zeyad Gouda"
}
],
"datePublic": "2024-03-14T13:47:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:39:41.050Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "snapd will follow archived symlinks when unpacking a filesystem"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-29069",
"datePublished": "2024-07-25T19:39:41.050Z",
"dateReserved": "2024-03-14T23:09:12.771Z",
"dateUpdated": "2024-08-02T01:03:51.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29068 (GCVE-0-2024-29068)
Vulnerability from cvelistv5 – Published: 2024-07-25 19:28 – Updated: 2024-08-02 01:03
VLAI?
Title
snapd non-regular file indefinite blocking read
Summary
In snapd versions prior to 2.62, snapd failed to properly check the file
type when extracting a snap. The snap format is a squashfs file-system
image and so can contain files that are non-regular files (such as pipes
or sockets etc). Various file entries within the snap squashfs image
(such as icons etc) are directly read by snapd when it is extracted. An
attacker who could convince a user to install a malicious snap which
contained non-regular files at these paths could then cause snapd to block
indefinitely trying to read from such files and cause a denial of service.
Severity ?
5.8 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Credits
Zeyad Gouda
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T20:21:23.846363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T20:21:43.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"squashfs"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"programFiles": [
"snap/container.go",
"snap/snapdir/snapdir.go",
"snap/squashfs/squashfs.go"
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zeyad Gouda"
}
],
"datePublic": "2024-03-14T13:47:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, snapd failed to properly check the file\ntype when extracting a snap. The snap format is a squashfs file-system\nimage and so can contain files that are non-regular files (such as pipes \nor sockets etc). Various file entries within the snap squashfs image\n(such as icons etc) are directly read by snapd when it is extracted. An \nattacker who could convince a user to install a malicious snap which\ncontained non-regular files at these paths could then cause snapd to block\nindefinitely trying to read from such files and cause a denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:28:05.480Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063"
},
{
"url": "https://github.com/snapcore/snapd/pull/13682"
}
],
"title": "snapd non-regular file indefinite blocking read"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-29068",
"datePublished": "2024-07-25T19:28:05.480Z",
"dateReserved": "2024-03-14T23:09:12.771Z",
"dateUpdated": "2024-08-02T01:03:51.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1724 (GCVE-0-2024-1724)
Vulnerability from cvelistv5 – Published: 2024-07-25 19:05 – Updated: 2024-08-01 18:48
VLAI?
Title
snapd allows $HOME/bin symlink
Summary
In snapd versions prior to 2.62, when using AppArmor for enforcement of
sandbox permissions, snapd failed to restrict writes to the $HOME/bin
path. In Ubuntu, when this path exists, it is automatically added to
the users PATH. An attacker who could convince a user to install a
malicious snap which used the 'home' plug could use this vulnerability
to install arbitrary scripts into the users PATH which may then be run
by the user outside of the expected snap sandbox and hence allow them
to escape confinement.
Severity ?
6.3 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Credits
Neil McPhail
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1724",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T19:25:43.941220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:28:23.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"tags": [
"x_transferred"
],
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/13689"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Generated AppArmor policy"
],
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snap",
"programFiles": [
"interfaces/builtin/home.go"
],
"programRoutines": [
{
"name": "homeConnectedPlugAppArmor"
}
],
"repo": "https://github.com/snapcore/snapd/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Neil McPhail"
}
],
"datePublic": "2024-03-13T08:27:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In snapd versions prior to 2.62, when using AppArmor for enforcement of \nsandbox permissions, snapd failed to restrict writes to the $HOME/bin\npath. In Ubuntu, when this path exists, it is automatically added to\nthe users PATH. An attacker who could convince a user to install a\nmalicious snap which used the \u0027home\u0027 plug could use this vulnerability\nto install arbitrary scripts into the users PATH which may then be run\nby the user outside of the expected snap sandbox and hence allow them\nto escape confinement."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T19:13:07.140Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6"
},
{
"url": "https://gld.mcphail.uk/posts/explaining-cve-2024-1724/"
},
{
"url": "https://github.com/snapcore/snapd/pull/13689"
}
],
"title": "snapd allows $HOME/bin symlink"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-1724",
"datePublished": "2024-07-25T19:05:23.299Z",
"dateReserved": "2024-02-21T19:46:47.236Z",
"dateUpdated": "2024-08-01T18:48:21.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27352 (GCVE-0-2020-27352)
Vulnerability from cvelistv5 – Published: 2024-06-21 20:06 – Updated: 2024-08-04 16:11
VLAI?
Summary
When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.
Severity ?
9.3 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
0 , < 2.48.3
(semver)
|
Credits
Gilad Reti
Nimrod Stoler
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "2.48.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-27352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T13:14:07.392127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T20:56:52.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1910456"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-4728-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "2.48.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilad Reti"
},
{
"lang": "en",
"type": "finder",
"value": "Nimrod Stoler"
}
],
"descriptions": [
{
"lang": "en",
"value": "When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T20:06:37.992Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1910456"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-4728-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27352",
"datePublished": "2024-06-21T20:06:37.992Z",
"dateReserved": "2020-10-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:11:36.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5138 (GCVE-0-2024-5138)
Vulnerability from cvelistv5 – Published: 2024-05-31 21:02 – Updated: 2024-09-06 19:48
VLAI?
Summary
The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar.
Severity ?
8.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
0 , < 68ee9c6aa916ab87dbfd9a26030690f2cabf1e14
(custom)
|
Credits
Rory McNamara from Snyk Security Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/2065077"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snapd",
"vendor": "canonical",
"versions": [
{
"lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-5138",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T19:03:04.672013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T19:48:49.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "68ee9c6aa916ab87dbfd9a26030690f2cabf1e14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rory McNamara from Snyk Security Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileges to perform. This could possibly allow an unprivileged user to perform a denial of service or similar."
}
],
"providerMetadata": {
"dateUpdated": "2024-06-19T01:17:51.897Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/snapd/+bug/2065077"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-5138",
"datePublished": "2024-05-31T21:02:19.979Z",
"dateReserved": "2024-05-19T22:29:02.330Z",
"dateUpdated": "2024-09-06T19:48:49.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3328 (GCVE-0-2022-3328)
Vulnerability from cvelistv5 – Published: 2024-01-08 18:04 – Updated: 2025-06-03 14:35
VLAI?
Summary
Race condition in snap-confine's must_mkdir_and_open_with_perms()
Severity ?
7.8 (High)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
0 , < 2.61.1
(semver)
|
Credits
Qualys
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:08:36.326851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:35:04.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "2.61.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qualys"
}
],
"descriptions": [
{
"lang": "en",
"value": "Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms()"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T18:04:10.534Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5753-1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2022-3328",
"datePublished": "2024-01-08T18:04:10.534Z",
"dateReserved": "2022-09-27T00:03:34.151Z",
"dateUpdated": "2025-06-03T14:35:04.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1523 (GCVE-0-2023-1523)
Vulnerability from cvelistv5 – Published: 2023-09-01 18:41 – Updated: 2024-10-01 13:08
VLAI?
Summary
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.
Severity ?
10 (Critical)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Unaffected:
2.59.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1523",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T13:08:37.894449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T13:08:45.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/snapcore/snapd/releases",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "snapd",
"repo": "https://github.com/snapcore/snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"status": "unaffected",
"version": "2.59.5"
}
]
}
],
"datePublic": "2023-05-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2023-09-01T18:41:47.820Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6125-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/snapcore/snapd/pull/12849"
},
{
"tags": [
"mailing-list"
],
"url": "https://marc.info/?l=oss-security\u0026m=167879021709955\u0026w=2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-1523",
"datePublished": "2023-09-01T18:41:47.820Z",
"dateReserved": "2023-03-20T17:41:17.600Z",
"dateUpdated": "2024-10-01T13:08:45.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4120 (GCVE-0-2021-4120)
Vulnerability from cvelistv5 – Published: 2022-02-17 22:15 – Updated: 2024-08-03 17:16
VLAI?
Title
snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths
Summary
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
8.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
Ian Johnson
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ian Johnson"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-20T02:06:22",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
],
"source": {
"defect": [
"https://launchpad.net/bugs/1949368"
],
"discovery": "INTERNAL"
},
"title": "snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-4120",
"STATE": "PUBLIC",
"TITLE": "snapd could be made to bypass intended access restrictions through snap content interfaces and layout paths"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ian Johnson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "https://bugs.launchpad.net/snapd/+bug/1949368",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/snapd/+bug/1949368"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
}
]
},
"source": {
"defect": [
"https://launchpad.net/bugs/1949368"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-4120",
"datePublished": "2022-02-17T22:15:21",
"dateReserved": "2021-12-14T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44730 (GCVE-0-2021-44730)
Vulnerability from cvelistv5 – Published: 2022-02-17 22:15 – Updated: 2024-08-04 04:32
VLAI?
Title
snapd could be made to escalate privileges and run programs as administrator
Summary
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
7.8 (High)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
Qualys Research Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:12.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Qualys Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-23T12:06:05",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "snapd could be made to escalate privileges and run programs as administrator",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-44730",
"STATE": "PUBLIC",
"TITLE": "snapd could be made to escalate privileges and run programs as administrator"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Qualys Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-44730",
"datePublished": "2022-02-17T22:15:18",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:12.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3155 (GCVE-0-2021-3155)
Vulnerability from cvelistv5 – Published: 2022-02-17 22:15 – Updated: 2024-08-03 16:45
VLAI?
Title
snapd created ~/snap with too-wide permissions
Summary
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
James Troup
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Troup"
}
],
"descriptions": [
{
"lang": "en",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-17T22:15:16",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
],
"source": {
"discovery": "USER"
},
"title": "snapd created ~/snap with too-wide permissions",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"ID": "CVE-2021-3155",
"STATE": "PUBLIC",
"TITLE": "snapd created ~/snap with too-wide permissions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.54.2"
}
]
}
}
]
},
"vendor_name": "Canonical Ltd."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "James Troup"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/security/notices/USN-5292-1",
"refsource": "MISC",
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85"
},
{
"name": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-3155",
"datePublished": "2022-02-17T22:15:16",
"dateReserved": "2021-01-15T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44731 (GCVE-0-2021-44731)
Vulnerability from cvelistv5 – Published: 2022-02-17 00:00 – Updated: 2024-08-04 04:32
VLAI?
Title
snapd could be made to escalate privileges and run programs as administrator
Summary
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Severity ?
7.8 (High)
CWE
- CWE-362 - Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | snapd |
Affected:
unspecified , ≤ 2.54.2
(custom)
|
Credits
Qualys Research Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:12.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"name": "[oss-security] 20221130 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"name": "20221208 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThanOrEqual": "2.54.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Qualys Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap\u0027s private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-09T00:00:00",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://ubuntu.com/security/notices/USN-5292-1"
},
{
"name": "[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/18/2"
},
{
"name": "FEDORA-2022-82bea71e5a",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/"
},
{
"name": "FEDORA-2022-5df8b52ba4",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/"
},
{
"name": "DSA-5080",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5080"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/1"
},
{
"name": "[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine\u0027s setup_private_mount()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/23/2"
},
{
"name": "[oss-security] 20221130 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/30/2"
},
{
"name": "20221208 Race condition in snap-confine\u0027s must_mkdir_and_open_with_perms() (CVE-2022-3328)",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/4"
},
{
"url": "http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "snapd could be made to escalate privileges and run programs as administrator",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2021-44731",
"datePublished": "2022-02-17T00:00:00",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:12.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11934 (GCVE-0-2020-11934)
Vulnerability from cvelistv5 – Published: 2020-07-29 16:25 – Updated: 2024-09-17 04:04
VLAI?
Title
Sandbox escape vulnerability via snapctl user-open (xdg-open)
Summary
It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.
Severity ?
5.9 (Medium)
CWE
- Sandbox escape vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
James Henstridge
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.net/bugs/1880085"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"changes": [
{
"at": "2.45.1+18.04.2",
"status": "unaffected"
},
{
"at": "2.45.1+20.04.2",
"status": "unaffected"
}
],
"lessThan": "2.45.1ubuntu0.2",
"status": "affected",
"version": "2.45.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Henstridge"
}
],
"datePublic": "2020-05-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sandbox escape vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:26",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ubuntu.com/USN-4424-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.net/bugs/1880085"
}
],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1880085"
],
"discovery": "INTERNAL"
},
"title": "Sandbox escape vulnerability via snapctl user-open (xdg-open)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-05-22T05:55:00.000Z",
"ID": "CVE-2020-11934",
"STATE": "PUBLIC",
"TITLE": "Sandbox escape vulnerability via snapctl user-open (xdg-open)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1ubuntu0.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1+18.04.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.1",
"version_value": "2.45.1+20.04.2"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "James Henstridge"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sandbox escape vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ubuntu.com/USN-4424-1",
"refsource": "CONFIRM",
"url": "https://ubuntu.com/USN-4424-1"
},
{
"name": "https://launchpad.net/bugs/1880085",
"refsource": "CONFIRM",
"url": "https://launchpad.net/bugs/1880085"
}
]
},
"solution": [],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1880085"
],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11934",
"datePublished": "2020-07-29T16:25:26.118479Z",
"dateReserved": "2020-04-20T00:00:00",
"dateUpdated": "2024-09-17T04:04:04.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11933 (GCVE-0-2020-11933)
Vulnerability from cvelistv5 – Published: 2020-07-29 16:25 – Updated: 2024-09-17 00:40
VLAI?
Title
local snapd exploit through cloud-init
Summary
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.
Severity ?
7.3 (High)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Ian Johnson
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.45.2, revision 8539",
"status": "affected",
"version": "2.45.2",
"versionType": "custom"
}
]
},
{
"product": "core",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.45.2, revision 9659",
"status": "affected",
"version": "2.45.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ian Johnson"
}
],
"datePublic": "2020-05-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:25",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.net/bugs/1879530"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ubuntu.com/USN-4424-1"
}
],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1879530"
],
"discovery": "INTERNAL"
},
"title": "local snapd exploit through cloud-init",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-05-19T16:34:00.000Z",
"ID": "CVE-2020-11933",
"STATE": "PUBLIC",
"TITLE": "local snapd exploit through cloud-init"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snapd",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.2",
"version_value": "2.45.2, revision 8539"
}
]
}
},
{
"product_name": "core",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "2.45.2",
"version_value": "2.45.2, revision 9659"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Ian Johnson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/bugs/1879530",
"refsource": "CONFIRM",
"url": "https://launchpad.net/bugs/1879530"
},
{
"name": "https://ubuntu.com/USN-4424-1",
"refsource": "CONFIRM",
"url": "https://ubuntu.com/USN-4424-1"
}
]
},
"solution": [],
"source": {
"advisory": "https://ubuntu.com/USN-4424-1",
"defect": [
"https://launchpad.net/bugs/1879530"
],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11933",
"datePublished": "2020-07-29T16:25:25.690070Z",
"dateReserved": "2020-04-20T00:00:00",
"dateUpdated": "2024-09-17T00:40:28.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11503 (GCVE-0-2019-11503)
Vulnerability from cvelistv5 – Published: 2019-04-24 20:02 – Updated: 2024-08-04 22:55
VLAI?
Summary
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-13T02:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11503",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a \"cwd restore permission bypass.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2019/04/18/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"name": "https://github.com/snapcore/snapd/pull/6642",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/pull/6642"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
},
{
"name": "FEDORA-2019-b6612c5fe5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/"
},
{
"name": "FEDORA-2019-bc3dfb389f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11503",
"datePublished": "2019-04-24T20:02:44",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11502 (GCVE-0-2019-11502)
Vulnerability from cvelistv5 – Published: 2019-04-24 20:02 – Updated: 2024-08-04 22:55
VLAI?
Summary
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-25T17:06:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2019/04/18/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"name": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1",
"refsource": "MISC",
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"name": "[oss-security] 20190425 Re: Security issues in snapcraft snap-confine set*id binary",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11502",
"datePublished": "2019-04-24T20:02:32",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}