CVE-2021-4120
Published: 17 February 2022
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Priority
Status
Package | Release | Status |
---|---|---|
snapd Launchpad, Ubuntu, Debian |
bionic |
Released
(2.54.3+18.04)
|
focal |
Released
(2.54.3+20.04)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Released
(2.54.3+21.10.1)
|
|
trusty |
Released
(2.54.3+14.04~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(2.54.3)
|
|
xenial |
Released
(2.54.3+16.04~esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.2 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |