Veracode Vulnerability DatabaseVERACODE:34286Data Injection
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
github.com/snapcore/snapd is vulnerable to data injection. The vulnerability exists because snapd doesn’t properly validate content interface and layout paths which allows an attacker to inject and execute arbitrary AppArmor policy rules.
References
www.openwall.com/lists/oss-security/2022/02/18/2
bugs.launchpad.net/snapd/+bug/1949368
bugzilla.redhat.com/show_bug.cgi?id=2056065
github.com/advisories/GHSA-hfvx-54vj-h9wq
lists.fedoraproject.org/archives/list/[email protected]/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
lists.fedoraproject.org/archives/list/[email protected]/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
ubuntu.com/security/notices/USN-5292-1
www.openwall.com/lists/oss-security/2022/02/18/2
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P