CVE-2019-7304
Publication date 12 February 2019
Last updated 24 July 2024
Ubuntu priority
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| snapd | ||
| 18.04 LTS bionic |
Fixed 2.34.2+18.04.1
|
|
| 16.04 LTS xenial |
Fixed 2.34.2ubuntu0.1
|
|
| 14.04 LTS trusty |
Fixed 2.34.2~14.04.1
|
Notes
jdstrand
introduced in https://github.com/snapcore/snapd/pull/4626 original CRD was 2019-02-06 16:00:00 UTC but delayed due to delayed Fedora update
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3887-1
- snapd vulnerability
- 12 February 2019