| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-32556 |
78 |
|
|
2021-06-12 |
2021-06-23 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py allowed injecting modified package names in a manner that would confuse the dpkg(1) call. |
|
2 |
CVE-2021-32555 |
59 |
|
|
2021-06-12 |
2021-06-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg-hwe-18.04 package apport hooks, it could expose private data to other local users. |
|
3 |
CVE-2021-32554 |
59 |
|
|
2021-06-12 |
2021-06-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users. |
|
4 |
CVE-2021-32553 |
59 |
|
|
2021-06-12 |
2021-06-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users. |
|
5 |
CVE-2021-32552 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users. |
|
6 |
CVE-2021-32551 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-15 package apport hooks, it could expose private data to other local users. |
|
7 |
CVE-2021-32550 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-14 package apport hooks, it could expose private data to other local users. |
|
8 |
CVE-2021-32549 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-13 package apport hooks, it could expose private data to other local users. |
|
9 |
CVE-2021-32548 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-8 package apport hooks, it could expose private data to other local users. |
|
10 |
CVE-2021-32547 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-lts package apport hooks, it could expose private data to other local users. |
|
11 |
CVE-2021-4115 |
|
|
|
2022-02-21 |
2022-08-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned |
|
12 |
CVE-2021-3155 |
276 |
|
|
2022-02-17 |
2022-02-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 |
|
13 |
CVE-2020-27349 |
862 |
|
|
2020-12-09 |
2020-12-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5. |
|
14 |
CVE-2020-26088 |
276 |
|
Bypass |
2020-09-24 |
2022-04-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a. |
|
15 |
CVE-2020-16128 |
209 |
|
|
2020-12-09 |
2020-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5. |
|
16 |
CVE-2020-16123 |
362 |
|
|
2020-12-04 |
2020-12-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. Fixed in 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15. |
|
17 |
CVE-2020-16122 |
345 |
|
|
2020-11-07 |
2022-10-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages. |
|
18 |
CVE-2020-16121 |
209 |
|
|
2020-11-07 |
2020-11-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
PackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own. |
|
19 |
CVE-2020-16120 |
|
|
|
2021-02-10 |
2021-11-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11. |
|
20 |
CVE-2020-16092 |
617 |
|
DoS |
2020-08-11 |
2022-09-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. |
|
21 |
CVE-2020-15709 |
|
|
|
2020-09-05 |
2020-09-16 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20.10, and 0.92.37.8ubuntu0.1~esm1, printed a PPA (personal package archive) description to the terminal as-is, which allowed PPA owners to provide ANSI terminal escapes to modify terminal contents in unexpected ways. |
|
22 |
CVE-2020-15701 |
755 |
|
DoS |
2020-08-06 |
2023-01-24 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. If the mtime attribute is a string value in apport-ignore.xml, it will trigger an unhandled exception, resulting in a crash. Fixed in 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.16, 2.20.11-0ubuntu27.6. |
|
23 |
CVE-2020-15393 |
401 |
|
|
2020-06-29 |
2022-04-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770. |
|
24 |
CVE-2020-15358 |
787 |
|
Overflow |
2020-06-27 |
2022-05-12 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. |
|
25 |
CVE-2020-15306 |
787 |
|
Overflow |
2020-06-26 |
2022-09-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp. |
|
26 |
CVE-2020-15305 |
416 |
|
|
2020-06-26 |
2022-09-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. |
|
27 |
CVE-2020-15157 |
522 |
|
|
2020-10-16 |
2021-11-18 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. |
|
28 |
CVE-2020-15011 |
74 |
|
|
2020-06-24 |
2021-11-30 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. |
|
29 |
CVE-2020-14415 |
369 |
|
|
2020-08-27 |
2020-09-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. |
|
30 |
CVE-2020-14392 |
119 |
|
Overflow Mem. Corr. |
2020-09-16 |
2021-10-19 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. |
|
31 |
CVE-2020-14378 |
191 |
|
|
2020-09-30 |
2022-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the `move_desc` function can lead to large amounts of CPU cycles being eaten up in a long running loop. An attacker could cause `move_desc` to get stuck in a 4,294,967,295-count iteration loop. Depending on how `vhost_crypto` is being used this could prevent other VMs or network tasks from being serviced by the busy DPDK lcore for an extended period. |
|
32 |
CVE-2020-14314 |
125 |
|
|
2020-09-15 |
2022-10-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability. |
|
33 |
CVE-2020-13632 |
476 |
|
|
2020-05-27 |
2022-05-13 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. |
|
34 |
CVE-2020-13631 |
|
|
|
2020-05-27 |
2022-05-13 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. |
|
35 |
CVE-2020-13434 |
190 |
|
Overflow |
2020-05-24 |
2023-01-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. |
|
36 |
CVE-2020-13397 |
125 |
|
|
2020-05-22 |
2020-11-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value. |
|
37 |
CVE-2020-13362 |
125 |
|
|
2020-05-28 |
2022-11-29 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. |
|
38 |
CVE-2020-13253 |
125 |
|
|
2020-05-27 |
2022-09-23 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. |
|
39 |
CVE-2020-12867 |
476 |
|
DoS |
2020-06-01 |
2022-11-16 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
A NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075. |
|
40 |
CVE-2020-12866 |
476 |
|
DoS |
2020-06-24 |
2022-11-21 |
2.7 |
None |
Local Network |
Low |
??? |
None |
None |
Partial |
|
A NULL pointer dereference in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, GHSL-2020-079. |
|
41 |
CVE-2020-12829 |
190 |
|
DoS Overflow |
2020-08-31 |
2020-12-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. |
|
42 |
CVE-2020-12768 |
401 |
|
|
2020-05-09 |
2022-04-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will. |
|
43 |
CVE-2020-12767 |
369 |
|
|
2020-05-09 |
2023-01-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error. |
|
44 |
CVE-2020-12656 |
401 |
|
|
2020-05-05 |
2022-04-29 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug. |
|
45 |
CVE-2020-12405 |
362 |
|
|
2020-07-09 |
2022-05-03 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
|
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. |
|
46 |
CVE-2020-12392 |
22 |
|
Dir. Trav. |
2020-05-26 |
2022-04-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. |
|
47 |
CVE-2020-11932 |
532 |
|
|
2020-05-13 |
2020-08-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS full disk encryption password if one was entered. |
|
48 |
CVE-2020-11931 |
668 |
|
Bypass |
2020-05-15 |
2020-05-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2; |
|
49 |
CVE-2020-11494 |
908 |
|
|
2020-04-02 |
2022-04-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4. |
|
50 |
CVE-2020-10756 |
125 |
|
+Info |
2020-07-09 |
2022-04-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. |
