CVE-2020-27348
Last modified
CVE-2020-27348 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.. EPSS estimates a 0.67% chance of exploitation in the next 30 days.
Description
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Snapcraft | < 4.4.4 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
References
- https://bugs.launchpad.net/bugs/1901572Exploit, Issue Tracking, Third Party Advisory
- https://github.com/snapcore/snapcraft/pull/3345Third Party Advisory
- https://usn.ubuntu.com/usn/usn-4661-1Patch, Third Party Advisory
- https://bugs.launchpad.net/bugs/1901572Exploit, Issue Tracking, Third Party Advisory
- https://github.com/snapcore/snapcraft/pull/3345Third Party Advisory
- https://usn.ubuntu.com/usn/usn-4661-1Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-27348?
How severe is CVE-2020-27348?
How do I fix CVE-2020-27348?
Are you affected by CVE-2020-27348?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST