CVE-2020-11933

EPSS 0.03%
Published 29.07.2020 17:15:12
Last modified 21.11.2024 04:58:56
Source security@ubuntu.com
Teams watchlist Login
Open Login

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.

Affected products Warnungen 0 Metrics 4 CWE 0 References 5

Data is provided by the National Vulnerability Database (NVD)

Canonical ≫ Snapd Version < 2.45.2

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version19.10

Canonical ≫ Ubuntu Linux Version20.04 SwEditionlts

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.058

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	0.9	5.9	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
security@ubuntu.com	7.3	0.9	5.8	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

https://launchpad.net/bugs/1879530

Third Party Advisory

https://ubuntu.com/USN-4424-1

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-11933

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-11933

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-11933

EUVD