6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.2 Medium
AI Score
Confidence
High
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
28.3%
It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and
Ubuntu Core 18 devices ran on every boot without restrictions. A physical
attacker could exploit this to craft cloud-init user-data/meta-data via
external media to perform arbitrary changes on the device to bypass
intended security mechanisms such as full disk encryption. This issue did
not affect traditional Ubuntu systems. (CVE-2020-11933)
It was discovered that snapctl user-open allowed altering the XDG_DATA_DIRS
environment variable when calling the system xdg-open. A malicious snap
could exploit this to bypass intended access restrictions to control how
the host system xdg-open script opens the URL. This issue did not affect
Ubuntu Core systems. (CVE-2020-11934)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 20.04 | noarch | snapd | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | golang-github-snapcore-snapd-dev | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | golang-github-ubuntu-core-snappy-dev | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | snap-confine | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | snapd-dbgsym | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | snapd-xdg-open | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | ubuntu-core-launcher | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | ubuntu-core-snapd-units | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | ubuntu-snappy | < 2.45.1+20.04.2 | UNKNOWN |
Ubuntu | 20.04 | noarch | ubuntu-snappy-cli | < 2.45.1+20.04.2 | UNKNOWN |
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.2 Medium
AI Score
Confidence
High
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
28.3%