Apport Project Security Vulnerabilities
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).
6.6AI Score
0.001EPSS
kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.
6.7AI Score
0.0004EPSS
An issue was discovered in Apport before 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote attackers to execute arbitrary Python code.
7.8CVSS
7.7AI Score
0.006EPSS
An issue was discovered in Apport before 2.20.4. There is a path traversal issue in the Apport crash file "Package" and "SourcePackage" fields. These fields are used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. An attacker can exploit this pa...
7.8CVSS
7.6AI Score
0.001EPSS
An issue was discovered in Apport before 2.20.4. A malicious Apport crash file can contain a restart command in RespawnCommand or ProcCmdline fields. This command will be executed if a user clicks the Relaunch button on the Apport prompt from the malicious crash file. The fix is to only show the Re...
6.5CVSS
6.6AI Score
0.001EPSS
An issue was discovered in Apport through 2.20.x. In apport/report.py, Apport sets the ExecutablePath field and it then uses the path to run package specific hooks without protecting against path traversal. This allows remote attackers to execute arbitrary code via a crafted .crash file.
7.8CVSS
7.8AI Score
0.006EPSS
Apport through 2.20.7 does not properly handle core dumps from setuid binaries allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges. NOTE: this vulnerability exists because of an...
7.8CVSS
7.6AI Score
0.0004EPSS
Apport before 2.13 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers.
7.8CVSS
7.5AI Score
0.0004EPSS
Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges, a different vulnerability than ...
7.8CVSS
7.5AI Score
0.0004EPSS
Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. The is_same_ns() function ...
7.8CVSS
7.4AI Score
0.0004EPSS
Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences.
7.8CVSS
7.4AI Score
0.0004EPSS
Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport that allowed a user to cause core files to be written in arbitrary directories.
4.7CVSS
5.5AI Score
0.0004EPSS
Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user.
7CVSS
4.9AI Score
0.0004EPSS
Sander Bos discovered Apport's lock file was in a world-writable directory which allowed all users to prevent crash handling.
3.3CVSS
5AI Score
0.0004EPSS
Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged...
3.3CVSS
5.1AI Score
0.001EPSS
Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the...
7CVSS
6.5AI Score
0.0004EPSS
Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing direct...
6.5CVSS
5.5AI Score
0.001EPSS
Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash f...
5.6CVSS
5.1AI Score
0.001EPSS
5.5CVSS
6.6AI Score
0.0004EPSS
5.5CVSS
6.5AI Score
0.0004EPSS
7.1CVSS
6.6AI Score
0.0004EPSS
5.5CVSS
6.5AI Score
0.0004EPSS
7.8CVSS
6.6AI Score
0.0004EPSS
Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing
5.5CVSS
6.6AI Score
0.0004EPSS