cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.
Published 2020-07-29 17:15:13
Updated 2021-11-04 17:45:26
View at NVD,   CVE.org

Threat overview for CVE-2020-11933

Top countries where our scanners detected CVE-2020-11933
Top open port discovered on systems with this issue 80
IPs affected by CVE-2020-11933 12,223
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2020-11933!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-11933

0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-11933

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
4.6
MEDIUM AV:L/AC:L/Au:N/C:P/I:P/A:P
3.9
6.4
NIST
6.8
MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.9
5.9
NIST
7.3
HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
0.9
5.8
Canonical Ltd.

CWE ids for CVE-2020-11933

  • Assigned by: security@ubuntu.com (Secondary)

References for CVE-2020-11933

Products affected by CVE-2020-11933

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!