Canonical Ltd. Snapd vulnerabilities

CVE-2020-27352 [CRITICAL] CWE-269 CVE-2020-27352: When generating the systemd service units for the docker snap (and other similar snaps), snapd does When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a

CVE-2024-5138 [HIGH] CWE-20 CVE-2024-5138: The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of the snap that would normally require administrator privileg

CVE-2022-3328 [HIGH] CWE-362 CVE-2022-3328: Race condition in snap-confine's must_mkdir_and_open_with_perms() Race condition in snap-confine's must_mkdir_and_open_with_perms()

CVE-2021-44731 [HIGH] CWE-362 CVE-2021-44731: A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount name A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in sn

CVE-2021-4120 [HIGH] CWE-20 CVE-2021-4120: snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resu snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

CVE-2021-44730 [HIGH] CWE-59 CVE-2021-44730: snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

CVE-2021-3155 [LOW] CWE-276 CVE-2021-3155: snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owne snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1