6.8

CVE-2020-27348

Exploit

snapcraft may build snaps with incorrect LD_LIBRARY_PATH

In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CanonicalSnapcraft Version < 4.4.4
CanonicalUbuntu Linux Version16.04
CanonicalUbuntu Linux Version18.04
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.67% 0.472
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 1.3 5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
nvd@nist.gov 4.4 3.4 6.4
AV:L/AC:M/Au:N/C:P/I:P/A:P
security@ubuntu.com 6.8 1.3 5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

https://bugs.launchpad.net/bugs/1901572
Third Party Advisory
Exploit
Issue Tracking
https://github.com/snapcore/snapcraft/pull/3345
Third Party Advisory
https://usn.ubuntu.com/usn/usn-4661-1
Patch
Third Party Advisory