5.9 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
11.7%
It was discovered that snapctl user-open allowed altering the
$XDG_DATA_DIRS environment variable when calling the system xdg-open.
OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to
append a path to a directory controlled by the calling snap. A malicious
snap could exploit this to bypass intended access restrictions to control
how the host system xdg-open script opens the URL and, for example, execute
a script shipped with the snap without confinement. This issue did not
affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2,
2.45.1+18.04.2 and 2.45.1+20.04.2.
Author | Note |
---|---|
emitorino | Since the vulnerability is present on the userd’s OpenURL implementation, it only affects classic distros where userd is auto-started. Since userd cannot be auto-started on Ubuntu Core 16, Ubuntu Core 18 or Ubuntu Core 20 (for various reasons depending on the release), then Ubuntu Core is not affected. Even if userd happened to start (eg, the user started it manually on UC20) there is no implicitOnCore policy that allows communicating with io.snapcraft.Launcher (or the older com.canonical.SafeLauncher). The dbus interface can’t be used (with either plugs or slots) to communicate with userd. /usr/bin/xdg-open on the boot file system of an Ubuntu Core system is different to Classic: it is the sandbox proxy that calls back into userd. Even if a session bus is running and a confined app could call userd, userd will report an error because the caller is not confined |
5.9 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
11.7%