CVE-2021-3709

CWE-538 CWE-22 — Path Traversal CWE-668 — Exposure to Wrong Sphere6 documents5 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 78.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Apport

Timeline

PublishedOct 1

Latest updateMay 24

Description

Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

▶CVEListV5canonical/apport2.14.1 — 2.14.1-0ubuntu3.29+esm8+3

▶Ubuntuapport< 2.20.9-0ubuntu7.26+3

▶NVDcanonical/apport170 versions+169

🔴Vulnerability Details

GHSA

GHSA-hq94-g33h-jj2x: Function check_attachment_for_errors() in file data/general-hooks/ubuntu↗2022-05-24

▶

CVEList

Apport file permission bypass through emacs byte compilation errors↗2021-10-01

▶

OSV

CVE-2021-3709: Function check_attachment_for_errors() in file data/general-hooks/ubuntu↗2021-09-14

▶

📋Vendor Advisories

Ubuntu

Apport vulnerabilities↗2021-09-14

▶

Ubuntu

Apport vulnerabilities↗2021-09-14

▶