CVE-2021-3155
Published: 13 January 2021
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Priority
Status
Package | Release | Status |
---|---|---|
snapd Launchpad, Ubuntu, Debian |
groovy |
Ignored
(end of life)
|
trusty |
Released
(2.54.3+14.04~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
impish |
Released
(2.54.3+21.10.1)
|
|
xenial |
Released
(2.54.3+16.04~esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(2.54.3)
|
|
bionic |
Released
(2.54.3+18.04)
|
|
focal |
Released
(2.54.3+20.04)
|
|
hirsute |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/snapcore/snapd/pull/9841 upstream: https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 upstream: https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |