Vulners Linux Audit API for Host Vulnerability Detection: Manual Auditing, Python Scripting and Licensing
2021-02-11T23:31:01
ID AVLEONOV:C161660A7999856B2D4E2D00187C74F6 Type avleonov Reporter Alexander Leonov Modified 2021-02-11T23:31:01
Description
Hello everyone! This episode will be about Vulners Linux Audit API, which allows you to detect vulnerabilities on a Linux host knowing only the OS version and installed packages. I had a similar post about this 4 years ago, but some details have changed, so I came back to this topic.
Manual Audit
The easiest way to try Vulners Linux Audit capabilities, that even doesn’t require registration, is to go to <https://vulners.com/audit> where you can specify the OS type, OS version and the output of the command for RedHat and Debain based Linux distributions.
Vulners supports nearly all popular Linux distributions:
For RedHat (RPM) based distributions, you can get OS version using
$ cat /etc/redhat-release
CentOS Linux release 8.3.2011
For example, I've added packages for Ubuntu 18.04:
And got the results (packages and vulnerabilities in the form of USN bulletins):
The vulnerabilities are clickable:
What are the limitations? If you installed software from source codes or built the package yourself with some random version, of course, Vulners will not find a vulnerability in this. It will also not detect a vulnerability if the application is running in a docker container.
Linux Audit API and python scripting
First of all, in order to use the Linux Scanner API, you must be a registered user.
Then you go to <https://vulners.com/userinfo> and generate an API key.
Choose the API scope and press save.
If you are new to Vulners, the license type will be free. It’s good enough for testing, I’ll add a few words about licensing later.
So, here is the script. Nothing special. List of packages in the same format as in Manual Audit, data dictionary with OS type and version, authentication token, one post request.
So in output I get the same vulnerabilities as in Manual Audit. Security bulletin vulnerabilities are grouped by package name. The most interesting is that we see the providedVersion which is less then bulletinVersion, so it can be verified manually. You can also see the list of related CVEs and a command for fixing.
I often hear from employees of large companies that they use Vulners for Vulnerability Management because it’s toll free. Well, strictly, it is not.
In the footer of each Vulners.com page there is a link to EULA. According to it, it’s free for personal education or research use. If you use Vulners at work to monitor your infrastructure or to get information about vulnerabilities, this is a commercial usage and you have to pay.
How much? It’s better to request the latest details from sales@vulners.com. But currently the price starts from €150/month WITHOUT API usage and from €500/month for 10000 API calls. For €1000/month you can use Vulners API with no restrictions.
Is this a lot? 6000 €/year (500 €/month) is about twice as much as the price of Nessus Professional. But comparing with other enterprise Vulnerability Management solutions, it’s not really so much. For example, it’s the price of Tenable.io for only 160 hosts. With Vulners Linux API and some optimization, it would be possible to cover MUCH more hosts and easily asses them daily.
One way to optimize is not to make a separate request for every host, but to collect all the packages that are used in your infrastructure for the OS version and make one request to collect related vulnerabilities. This optimization is ok, because it doesn’t make additional load on Vulners servers.
What if you want to use Vulners API for commercial goals, but don’t need so many API calls? Well, strictly, such using without commercial license would be a violation. But you will not be banned if you use <1000 request per month. And Vulners Team doesn’t ban such usage during the PoC, etc. Everything is discussable. But if you can pay, there is no reason you shouldn’t. Vulners is a small self-financing startup that does a lot of work with very limited resources. Commercial licenses really help to pay servers and motivate the team to move on. ?
{"id": "AVLEONOV:C161660A7999856B2D4E2D00187C74F6", "type": "avleonov", "bulletinFamily": "blog", "title": "Vulners Linux Audit API for Host Vulnerability Detection: Manual Auditing, Python Scripting and Licensing", "description": "Hello everyone! This episode will be about Vulners Linux Audit API, which allows you to detect vulnerabilities on a Linux host knowing only the OS version and installed packages. I had a [similar post about this 4 years ago](<https://avleonov.com/2016/09/10/new-vulners-com-services-for-linux-security-audit-and-vulnerability-alerting/>), but some details have changed, so I came back to this topic.\n\n\n\n# Manual Audit\n\nThe easiest way to try Vulners Linux Audit capabilities, that even doesn\u2019t require registration, is to go to <https://vulners.com/audit> where you can specify the OS type, OS version and the output of the command for RedHat and Debain based Linux distributions.\n\n\n\nVulners supports nearly all popular Linux distributions:\n\n\n\nFor RedHat (RPM) based distributions, you can get OS version using\n \n \n $ cat /etc/redhat-release\n CentOS Linux release 8.3.2011\n\nand list installed packages using\n \n \n rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\\n'\n\nFor Debain (DEB) based distributions, you can get version using\n \n \n $ lsb_release -a\n No LSB modules are available.\n Distributor ID: Ubuntu\n Description: Ubuntu 18.04.4 LTS\n Release: 18.04\n Codename: bionic\n\nand list installed packages using\n \n \n dpkg-query -W -f='${Status} ${Package} ${Version} ${Architecture}\\n'|awk '($1 == \"install\") && ($2 == \"ok\") {print $4\" \"$5\" \"$6}'\n\nFor example, I've added packages for Ubuntu 18.04:\n\n\n\nAnd got the results (packages and vulnerabilities in the form of USN bulletins):\n\n\n\nThe vulnerabilities are clickable:\n\n\n\nWhat are the limitations? If you installed software from source codes or built the package yourself with some random version, of course, Vulners will not find a vulnerability in this. It will also not detect a vulnerability if the application is running in a docker container.\n\n# Linux Audit API and python scripting\n\nFirst of all, in order to use the Linux Scanner API, you must be a registered user.\n\n\n\nThen you go to <https://vulners.com/userinfo> and generate an API key. \n\n\n\nChoose the API scope and press save.\n\n\n\nIf you are new to Vulners, the license type will be free. It\u2019s good enough for testing, I\u2019ll add a few words about licensing later.\n\nSo, here is the script. Nothing special. List of packages in the same format as in Manual Audit, data dictionary with OS type and version, authentication token, one post request.\n \n \n import requests\n import json\n \n packages = '''accountsservice 0.6.45-1ubuntu1 amd64\n acl 2.2.52-3build1 amd64\n acpid 1:2.0.28-1ubuntu1 amd64\n adduser 3.116ubuntu1 all\n apparmor 2.12-4ubuntu5.1 amd64\n apport 2.20.9-0ubuntu7.9 all\n apport-symptoms 0.20 all\n apt 1.6.12 amd64\n apt-utils 1.6.12 amd64\n ...'''\n \n package_list = packages.split(\"\\n\")\n token = \"###TOKEN###\"\n data = {\"os\": \"ubuntu\", \n \"version\": \"16.04\", \n \"package\": package_list, \n \"apiKey\": token}\n response = requests.post('https://vulners.com/api/v3/audit/audit', \n data=json.dumps(data))\n print(json.dumps(response.json(), indent=4))\n\nSo in output I get the same vulnerabilities as in Manual Audit. Security bulletin vulnerabilities are grouped by package name. The most interesting is that we see the providedVersion which is less then bulletinVersion, so it can be verified manually. You can also see the list of related CVEs and a command for fixing.\n \n \n {\n \"result\": \"OK\",\n \"data\": {\n \"packages\": {\n \"snapd 2.42.1+18.04 amd64\": {\n \"USN-4424-1\": [\n {\n \"package\": \"snapd 2.42.1+18.04 amd64\",\n \"providedOSName\": \"ubuntu\",\n \"matchedOSName\": \"ubuntu\",\n \"bulletinOSName\": \"Ubuntu\",\n \"providedOSVersion\": \"16.04\",\n \"bulletinOSVersion\": \"16.04\",\n \"providedVersion\": \"2.42.1+18.04\",\n \"bulletinVersion\": \"2.45.1ubuntu0.2\",\n \"providedPackage\": \"snapd 2.42.1+18.04 amd64\",\n \"bulletinPackage\": \"UNKNOWN\",\n \"operator\": \"lt\",\n \"bulletinID\": \"USN-4424-1\",\n \"cvelist\": [\n \"CVE-2020-11934\",\n \"CVE-2020-11933\"\n ],\n \"cvss\": {\n \"score\": 4.6,\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\"\n },\n \"fix\": \"sudo apt-get --assume-yes install --only-upgrade snapd\"\n }\n ],\n ...\n\n# So, is it free? \n\nI often hear from employees of large companies that they use Vulners for Vulnerability Management because it\u2019s toll free. Well, strictly, it is not.\n\nIn the footer of each Vulners.com page [there is a link to EULA](<https://vulners.com/static/docs/eula.pdf>). According to it, it\u2019s free for personal education or research use. If you use Vulners at work to monitor your infrastructure or to get information about vulnerabilities, this is a commercial usage and you have to pay.\n\n\n\nHow much? It\u2019s better to request the latest details from sales@vulners.com. But currently the price starts from \u20ac150/month WITHOUT API usage and from \u20ac500/month for 10000 API calls. For \u20ac1000/month you can use Vulners API with no restrictions.\n\nIs this a lot? 6000 \u20ac/year (500 \u20ac/month) is about twice as much as the price of Nessus Professional. But comparing with other enterprise Vulnerability Management solutions, it\u2019s not really so much. For example, it\u2019s the [price of Tenable.io for only 160 hosts](<https://www.tenable.com/buy>). With Vulners Linux API and some optimization, it would be possible to cover MUCH more hosts and easily asses them daily.\n\nOne way to optimize is not to make a separate request for every host, but to collect all the packages that are used in your infrastructure for the OS version and make one request to collect related vulnerabilities. This optimization is ok, because it doesn\u2019t make additional load on Vulners servers.\n\nWhat if you want to use Vulners API for commercial goals, but don\u2019t need so many API calls? Well, strictly, such using without commercial license would be a violation. But you will not be banned if you use <1000 request per month. And Vulners Team doesn\u2019t ban such usage during the PoC, etc. Everything is discussable. But if you can pay, there is no reason you shouldn\u2019t. Vulners is a small self-financing startup that does a lot of work with very limited resources. Commercial licenses really help to pay servers and motivate the team to move on. ?\n\n", "published": "2021-02-11T23:31:01", "modified": "2021-02-11T23:31:01", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://feedproxy.google.com/~r/avleonov/~3/msiy0ZbMggc/", "reporter": "Alexander Leonov", "references": [], "cvelist": ["CVE-2020-11933", "CVE-2020-11934"], "immutableFields": [], "lastseen": "2021-05-29T08:28:51", "viewCount": 240, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-11933", "CVE-2020-11934"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-11934"]}, {"type": "fedora", "idList": ["FEDORA:C53EA30EBC75", "FEDORA:E902B310BC02"]}, {"type": "nessus", "idList": ["FEDORA_2020-7685DEBA9B.NASL", "FEDORA_2020-CCB155EA2C.NASL", "UBUNTU_USN-4424-1.NASL"]}, {"type": "ubuntu", "idList": ["USN-4424-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-11933", "UB:CVE-2020-11934"]}], "rev": 4}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-11933", "CVE-2020-11934"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-11934"]}, {"type": "fedora", "idList": ["FEDORA:C53EA30EBC75", "FEDORA:E902B310BC02"]}, {"type": "nessus", "idList": ["FEDORA_2020-7685DEBA9B.NASL", "FEDORA_2020-CCB155EA2C.NASL", "UBUNTU_USN-4424-1.NASL"]}, {"type": "ubuntu", "idList": ["USN-4424-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-11933", "UB:CVE-2020-11934"]}]}, "exploitation": null, "vulnersScore": 5.2}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9}, "edition": 2, "scheme": null, "_state": {"dependencies": 1645925019}}
{"nessus": [{"lastseen": "2022-02-19T12:29:55", "description": "It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions.\nA physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems.\n(CVE-2020-11933)\n\nIt was discovered that snapctl user-open allowed altering the XDG_DATA_DIRS environment variable when calling the system xdg-open. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL. This issue did not affect Ubuntu Core systems. (CVE-2020-11934).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.8, "vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : snapd vulnerabilities (USN-4424-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11933", "CVE-2020-11934"], "modified": "2020-08-07T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:snapd", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.10", "cpe:/o:canonical:ubuntu_linux:20.04"], "id": "UBUNTU_USN-4424-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138552", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4424-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138552);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/07\");\n\n script_cve_id(\"CVE-2020-11933\", \"CVE-2020-11934\");\n script_xref(name:\"USN\", value:\"4424-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : snapd vulnerabilities (USN-4424-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that cloud-init as managed by snapd on Ubuntu Core\n16 and Ubuntu Core 18 devices ran on every boot without restrictions.\nA physical attacker could exploit this to craft cloud-init\nuser-data/meta-data via external media to perform arbitrary changes on\nthe device to bypass intended security mechanisms such as full disk\nencryption. This issue did not affect traditional Ubuntu systems.\n(CVE-2020-11933)\n\nIt was discovered that snapctl user-open allowed altering the\nXDG_DATA_DIRS environment variable when calling the system xdg-open. A\nmalicious snap could exploit this to bypass intended access\nrestrictions to control how the host system xdg-open script opens the\nURL. This issue did not affect Ubuntu Core systems. (CVE-2020-11934).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4424-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected snapd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11933\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:snapd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.10|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.10 / 20.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"snapd\", pkgver:\"2.45.1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"snapd\", pkgver:\"2.45.1+18.04.2\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"snapd\", pkgver:\"2.45.1+19.10.2\")) flag++;\nif (ubuntu_check(osver:\"20.04\", pkgname:\"snapd\", pkgver:\"2.45.1+20.04.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"snapd\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-19T12:31:25", "description": "Update to v2.45.2 to fix CVE-2020-11933 and CVE-2020-11934\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.8, "vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Fedora 32 : snapd (2020-7685deba9b)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11933", "CVE-2020-11934"], "modified": "2020-08-07T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:snapd", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-7685DEBA9B.NASL", "href": "https://www.tenable.com/plugins/nessus/138533", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-7685deba9b.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138533);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/07\");\n\n script_cve_id(\"CVE-2020-11933\", \"CVE-2020-11934\");\n script_xref(name:\"FEDORA\", value:\"2020-7685deba9b\");\n\n script_name(english:\"Fedora 32 : snapd (2020-7685deba9b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to v2.45.2 to fix CVE-2020-11933 and CVE-2020-11934\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-7685deba9b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected snapd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11933\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snapd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"snapd-2.45.2-1.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"snapd\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-19T12:32:58", "description": "Update to v2.45.2 to fix CVE-2020-11933 and CVE-2020-11934\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.8, "vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Fedora 31 : snapd (2020-ccb155ea2c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11933", "CVE-2020-11934"], "modified": "2020-08-07T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:snapd", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2020-CCB155EA2C.NASL", "href": "https://www.tenable.com/plugins/nessus/138534", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-ccb155ea2c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138534);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/07\");\n\n script_cve_id(\"CVE-2020-11933\", \"CVE-2020-11934\");\n script_xref(name:\"FEDORA\", value:\"2020-ccb155ea2c\");\n\n script_name(english:\"Fedora 31 : snapd (2020-ccb155ea2c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to v2.45.2 to fix CVE-2020-11933 and CVE-2020-11934\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-ccb155ea2c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected snapd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11933\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snapd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"snapd-2.45.2-1.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"snapd\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "Snappy is a modern, cross-distribution, transactional package manager designed for working with self-contained, immutable packages. ", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-16T01:15:46", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: snapd-2.45.2-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11933", "CVE-2020-11934"], "modified": "2020-07-16T01:15:46", "id": "FEDORA:E902B310BC02", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Snappy is a modern, cross-distribution, transactional package manager designed for working with self-contained, immutable packages. ", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-16T01:25:11", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: snapd-2.45.2-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11933", "CVE-2020-11934"], "modified": "2020-07-16T01:25:11", "id": "FEDORA:C53EA30EBC75", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2022-01-04T11:19:06", "description": "It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and \nUbuntu Core 18 devices ran on every boot without restrictions. A physical \nattacker could exploit this to craft cloud-init user-data/meta-data via \nexternal media to perform arbitrary changes on the device to bypass \nintended security mechanisms such as full disk encryption. This issue did \nnot affect traditional Ubuntu systems. (CVE-2020-11933)\n\nIt was discovered that snapctl user-open allowed altering the XDG_DATA_DIRS \nenvironment variable when calling the system xdg-open. A malicious snap \ncould exploit this to bypass intended access restrictions to control how \nthe host system xdg-open script opens the URL. This issue did not affect \nUbuntu Core systems. (CVE-2020-11934)\n", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-15T00:00:00", "type": "ubuntu", "title": "snapd vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11934", "CVE-2020-11933"], "modified": "2020-07-15T00:00:00", "id": "USN-4424-1", "href": "https://ubuntu.com/security/notices/USN-4424-1", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:25:47", "description": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices\nwas run without restrictions on every boot, which a physical attacker could\nexploit by crafting cloud-init user-data/meta-data via external media to\nperform arbitrary changes on the device to bypass intended security\nmechanisms such as full disk encryption. This issue did not affect\ntraditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539\nand core version 2.45.2, revision 9659.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1879530>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | cloud-init as managed by snapd is only used on Ubuntu Core 16 and 18 devices. This does not affect traditional Ubuntu cloud, desktop and server systems or the upcoming Ubuntu Core 20. Since the attack requires physical presence, the vulnerability provides no additional access to standard Ubuntu Core devices. For Ubuntu Core devices with full disk encryption, the vulnerability allows admin access to the device after the disk has been decrypted. snapd will be updated to disable/restrict cloud-init after the first boot. Since this does not affect traditional deb-based Ubuntu systems, security updates will not be provided for the snapd deb in the Ubuntu archive and these debs are marked as 'not-affected'. For notification purposes we will issue a USN for this. Ubuntu Core 16 devices will be updated via the 'core' snap which includes snapd Ubuntu Core 18 devices will be updated via the 'snapd' snap (which is provided separated from the core18 snap) 20.04 LTS Raspberry Pi images are affected but do not include FDE. A non-security bug task has been added to https://launchpad.net/bugs/1879530.\n", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-15T00:00:00", "type": "ubuntucve", "title": "CVE-2020-11933", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11933"], "modified": "2020-07-15T00:00:00", "id": "UB:CVE-2020-11933", "href": "https://ubuntu.com/security/CVE-2020-11933", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-22T21:25:47", "description": "It was discovered that snapctl user-open allowed altering the\n$XDG_DATA_DIRS environment variable when calling the system xdg-open.\nOpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to\nappend a path to a directory controlled by the calling snap. A malicious\nsnap could exploit this to bypass intended access restrictions to control\nhow the host system xdg-open script opens the URL and, for example, execute\na script shipped with the snap without confinement. This issue did not\naffect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2,\n2.45.1+18.04.2 and 2.45.1+20.04.2.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/snapd/+bug/1880085>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[emitorino](<https://launchpad.net/~emitorino>) | Since the vulnerability is present on the userd's OpenURL implementation, it only affects classic distros where userd is auto-started. Since userd cannot be auto-started on Ubuntu Core 16, Ubuntu Core 18 or Ubuntu Core 20 (for various reasons depending on the release), then Ubuntu Core is not affected. Even if userd happened to start (eg, the user started it manually on UC20) there is no implicitOnCore policy that allows communicating with io.snapcraft.Launcher (or the older com.canonical.SafeLauncher). The dbus interface can't be used (with either plugs or slots) to communicate with userd. /usr/bin/xdg-open on the boot file system of an Ubuntu Core system is different to Classic: it is the sandbox proxy that calls back into userd. Even if a session bus is running and a confined app could call userd, userd will report an error because the caller is not confined\n", "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 4.0}, "published": "2020-07-15T00:00:00", "type": "ubuntucve", "title": "CVE-2020-11934", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11934"], "modified": "2020-07-15T00:00:00", "id": "UB:CVE-2020-11934", "href": "https://ubuntu.com/security/CVE-2020-11934", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T12:25:06", "description": "cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-29T17:15:00", "type": "cve", "title": "CVE-2020-11933", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11933"], "modified": "2021-11-04T17:45:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:20.04", "cpe:/o:canonical:ubuntu_linux:19.10", "cpe:/o:canonical:ubuntu_linux:18.04"], "id": "CVE-2020-11933", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11933", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2022-03-23T12:25:08", "description": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.", "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 4.0}, "published": "2020-07-29T17:15:00", "type": "cve", "title": "CVE-2020-11934", "cwe": ["CWE-668"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11934"], "modified": "2020-08-05T18:46:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:20.04", "cpe:/o:canonical:ubuntu_linux:19.10", "cpe:/o:canonical:ubuntu_linux:18.04"], "id": "CVE-2020-11934", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11934", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"]}], "debiancve": [{"lastseen": "2022-03-26T15:40:18", "description": "It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.", "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 4.0}, "published": "2020-07-29T17:15:00", "type": "debiancve", "title": "CVE-2020-11934", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11934"], "modified": "2020-07-29T17:15:00", "id": "DEBIANCVE:CVE-2020-11934", "href": "https://security-tracker.debian.org/tracker/CVE-2020-11934", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}]}