snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/02/18/2 | Exploit Mailing List Third Party Advisory |
https://bugs.launchpad.net/snapd/+bug/1949368 | Exploit Issue Tracking Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/ | |
https://ubuntu.com/security/notices/USN-5292-1 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
01 Mar 2022, 17:07
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 7.8 |
References | (MISC) https://ubuntu.com/security/notices/USN-5292-1 - Patch, Vendor Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/ - Mailing List, Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2022/02/18/2 - Exploit, Mailing List, Third Party Advisory | |
References | (MISC) https://bugs.launchpad.net/snapd/+bug/1949368 - Exploit, Issue Tracking, Third Party Advisory | |
CWE | CWE-20 | |
CPE | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:* cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
20 Feb 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Feb 2022, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Feb 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-02-17 23:15
Updated : 2024-02-04 22:29
NVD link : CVE-2021-4120
Mitre link : CVE-2021-4120
CVE.ORG link : CVE-2021-4120
JSON object : View
Products Affected
canonical
- snapd
- ubuntu_linux
fedoraproject
- fedora
CWE
CWE-20
Improper Input Validation