snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
7.5CVSS
7.4AI Score
0.006EPSS
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."
7.5CVSS
7.2AI Score
0.003EPSS
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 ...
7.5CVSS
7.2AI Score
0.02EPSS
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
9.8CVSS
9.4AI Score
0.103EPSS
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechan...
7.3CVSS
6.3AI Score
0.001EPSS
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
5.5CVSS
6.4AI Score
0.0004EPSS
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54...
8.2CVSS
8AI Score
0.001EPSS
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.5...
8.8CVSS
8.6AI Score
0.0004EPSS
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary...
7.8CVSS
8.4AI Score
0.0005EPSS
7.8CVSS
6.6AI Score
0.0004EPSS
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others a...
10CVSS
9.5AI Score
0.001EPSS
In snapd versions prior to 2.62, when using AppArmor for enforcement ofsandbox permissions, snapd failed to restrict writes to the $HOME/binpath. In Ubuntu, when this path exists, it is automatically added tothe users PATH. An attacker who could convince a user to install amalicious snap which used...
8.2CVSS
6.5AI Score
0.001EPSS
In snapd versions prior to 2.62, snapd failed to properly check the filetype when extracting a snap. The snap format is a squashfs file-systemimage and so can contain files that are non-regular files (such as pipesor sockets etc). Various file entries within the snap squashfs image(such as icons et...
6.6CVSS
5.5AI Score
0.0004EPSS
In snapd versions prior to 2.62, snapd failed to properly check thedestination of symbolic links when extracting a snap. The snap formatis a squashfs file-system image and so can contain symbolic links andother file types. Various file entries within the snap squashfs image(such as icons and deskto...
7.3CVSS
5.1AI Score
0.0004EPSS