snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/02/18/2 | Exploit Mailing List Third Party Advisory |
https://bugs.launchpad.net/snapd/+bug/1949368 | Exploit Issue Tracking Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/ | |
https://ubuntu.com/security/notices/USN-5292-1 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:40
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
01 Mar 2022, 17:07
Type | Values Removed | Values Added |
---|---|---|
First Time |
Canonical ubuntu Linux
Fedoraproject fedora Canonical snapd Canonical Fedoraproject |
|
CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 7.8 |
CWE | CWE-20 | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2022/02/18/2 - Exploit, Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/ - Mailing List, Third Party Advisory | |
References | (MISC) https://ubuntu.com/security/notices/USN-5292-1 - Patch, Vendor Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/ - Mailing List, Third Party Advisory | |
References | (MISC) https://bugs.launchpad.net/snapd/+bug/1949368 - Exploit, Issue Tracking, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* |
20 Feb 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Feb 2022, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Feb 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-02-17 23:15
Updated : 2023-12-10 14:22
NVD link : CVE-2021-4120
Mitre link : CVE-2021-4120
CVE.ORG link : CVE-2021-4120
JSON object : View
Products Affected
fedoraproject
- fedora
canonical
- ubuntu_linux
- snapd
CWE
CWE-20
Improper Input Validation