| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-32552 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users. |
|
2 |
CVE-2021-32551 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-15 package apport hooks, it could expose private data to other local users. |
|
3 |
CVE-2021-32550 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-14 package apport hooks, it could expose private data to other local users. |
|
4 |
CVE-2021-32549 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-13 package apport hooks, it could expose private data to other local users. |
|
5 |
CVE-2021-32548 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-8 package apport hooks, it could expose private data to other local users. |
|
6 |
CVE-2021-32547 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-lts package apport hooks, it could expose private data to other local users. |
|
7 |
CVE-2020-27349 |
862 |
|
|
2020-12-09 |
2020-12-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5. |
|
8 |
CVE-2020-25645 |
319 |
|
|
2020-10-13 |
2021-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. |
|
9 |
CVE-2020-24654 |
59 |
|
|
2020-09-02 |
2021-01-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. |
|
10 |
CVE-2020-24606 |
20 |
|
DoS |
2020-08-24 |
2021-03-17 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF. |
|
11 |
CVE-2020-24394 |
732 |
|
|
2020-08-19 |
2021-06-14 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. |
|
12 |
CVE-2020-16166 |
200 |
|
+Info |
2020-07-30 |
2021-06-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c. |
|
13 |
CVE-2020-16128 |
209 |
|
|
2020-12-09 |
2020-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5. |
|
14 |
CVE-2020-16123 |
362 |
|
|
2020-12-04 |
2020-12-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. Fixed in 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15. |
|
15 |
CVE-2020-16122 |
|
|
|
2020-11-07 |
2021-04-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages. |
|
16 |
CVE-2020-16120 |
269 |
|
|
2021-02-10 |
2021-02-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11. |
|
17 |
CVE-2020-16119 |
416 |
|
|
2021-01-14 |
2021-03-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196. |
|
18 |
CVE-2020-15863 |
787 |
|
DoS Exec Code Overflow |
2020-07-28 |
2021-01-04 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555. |
|
19 |
CVE-2020-15862 |
269 |
|
|
2020-08-20 |
2020-09-04 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. |
|
20 |
CVE-2020-15811 |
444 |
|
Http R.Spl. Bypass |
2020-09-02 |
2021-03-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches. |
|
21 |
CVE-2020-15810 |
444 |
|
Bypass |
2020-09-02 |
2021-03-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream. |
|
22 |
CVE-2020-15707 |
362 |
|
Exec Code Overflow Bypass |
2020-07-29 |
2021-05-01 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions. |
|
23 |
CVE-2020-15706 |
362 |
|
Exec Code Bypass |
2020-07-29 |
2021-05-01 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions. |
|
24 |
CVE-2020-15705 |
347 |
|
Bypass |
2020-07-29 |
2021-05-01 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions. |
|
25 |
CVE-2020-15659 |
787 |
|
Mem. Corr. |
2020-08-10 |
2020-08-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR 78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. |
|
26 |
CVE-2020-15157 |
522 |
|
|
2020-10-16 |
2021-03-17 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. |
|
27 |
CVE-2020-15103 |
680 |
|
Overflow |
2020-07-27 |
2020-12-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto |
|
28 |
CVE-2020-15011 |
74 |
|
|
2020-06-24 |
2020-10-27 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. |
|
29 |
CVE-2020-14928 |
74 |
|
|
2020-07-17 |
2020-08-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection." |
|
30 |
CVE-2020-14392 |
119 |
|
Overflow Mem. Corr. |
2020-09-16 |
2020-09-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. |
|
31 |
CVE-2020-14355 |
120 |
|
Exec Code Overflow |
2020-10-07 |
2020-12-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. |
|
32 |
CVE-2020-14345 |
119 |
|
Overflow |
2020-09-15 |
2021-01-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Out-Of-Bounds access in XkbSetNames function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
|
33 |
CVE-2020-13754 |
119 |
|
Overflow |
2020-06-02 |
2020-12-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. |
|
34 |
CVE-2020-13645 |
295 |
|
|
2020-05-28 |
2020-11-20 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. |
|
35 |
CVE-2020-13398 |
787 |
|
|
2020-05-22 |
2020-11-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c. |
|
36 |
CVE-2020-13397 |
125 |
|
|
2020-05-22 |
2020-11-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value. |
|
37 |
CVE-2020-13396 |
125 |
|
|
2020-05-22 |
2020-11-09 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c. |
|
38 |
CVE-2020-13254 |
295 |
|
|
2020-06-03 |
2021-01-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. |
|
39 |
CVE-2020-13253 |
125 |
|
|
2020-05-27 |
2020-12-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. |
|
40 |
CVE-2020-12829 |
190 |
|
DoS Overflow |
2020-08-31 |
2020-12-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. |
|
41 |
CVE-2020-12673 |
125 |
|
|
2020-08-12 |
2020-10-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. |
|
42 |
CVE-2020-12663 |
835 |
|
|
2020-05-19 |
2021-02-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. |
|
43 |
CVE-2020-12662 |
674 |
|
|
2020-05-19 |
2021-02-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. |
|
44 |
CVE-2020-12352 |
200 |
|
+Info |
2020-11-23 |
2021-04-08 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access. |
|
45 |
CVE-2020-12049 |
404 |
|
|
2020-06-08 |
2021-03-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. |
|
46 |
CVE-2020-11993 |
444 |
|
|
2020-08-07 |
2021-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. |
|
47 |
CVE-2020-11984 |
120 |
|
|
2020-08-07 |
2021-06-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE |
|
48 |
CVE-2020-11945 |
190 |
|
Exec Code Overflow |
2020-04-23 |
2021-03-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials). |
|
49 |
CVE-2020-11934 |
668 |
|
Bypass |
2020-07-29 |
2020-08-05 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2. |
|
50 |
CVE-2020-11933 |
269 |
|
Bypass |
2020-07-29 |
2020-08-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659. |
