CVE-2020-11934

CWE-668Exposure to Wrong Sphere7 documents6 sources
Severity
5.9MEDIUM
EPSS
0.0%
top 86.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Canonical SnapdCanonical Ubuntu Linux
Timeline
PublishedJul 29
Latest updateMay 24

Description

It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not a

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:NExploitability: 1.5 | Impact: 4.0

Affected Packages2 packages

CVEListV5canonical/snapd2.45.12.45.1ubuntu0.2
Debiansnapd< 2.45.2-1+3

Also affects: Ubuntu Linux 16.04, 18.04, 19.10, 20.04

🔴Vulnerability Details

4
GHSA
GHSA-8cwp-mjww-pqc2: It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open2022-05-24
CVEList
Sandbox escape vulnerability via snapctl user-open (xdg-open)2020-07-29
OSV
CVE-2020-11934: It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open2020-07-29
OSV
snapd vulnerabilities2020-07-15

📋Vendor Advisories

2
Ubuntu
snapd vulnerabilities2020-07-15
Debian
CVE-2020-11934: snapd - It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS env...2020
CVE-2020-11934 (MEDIUM CVSS 5.9) | It was discovered that snapctl user | cvebase.io