CVE-2021-4120

CWE-20 — Improper Input Validation12 documents6 sources

Severity

7.8HIGH

EPSS

0.1%

top 74.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Ltd. Snapd Canonical Snapd Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 17

Latest updateFeb 24

Description

snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages4 packages

▶Debiansnapd< 2.49-1+deb11u1+3

▶Ubuntusnapd< 2.54.3+18.04+1

▶NVDcanonical/snapd2.54.2

▶CVEListV5canonical_ltd./snapdunspecified — 2.54.2

Also affects: Fedora 34, 35, Ubuntu Linux 18.04, 20.04, 21.10

Patches

Patch: ubuntu.com ↗Patch: ubuntu.com ↗

🔴Vulnerability Details

OSV

snapd regression↗2022-02-24

▶

GHSA

GHSA-hfvx-54vj-h9wq: snapd 2↗2022-02-19

▶

OSV

snapd vulnerabilities↗2022-02-18

▶

OSV

snapd vulnerabilities↗2022-02-18

▶

OSV

snapd vulnerabilities↗2022-02-17

▶

📋Vendor Advisories

Ubuntu

snapd vulnerabilities↗2022-02-18

▶

Ubuntu

snapd vulnerabilities↗2022-02-18

▶

Ubuntu

snapd vulnerabilities↗2022-02-17

▶

Debian

CVE-2021-4120: snapd - snapd 2.54.2 fails to perform sufficient validation of snap content interface an...↗2021

▶