Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2021-3155

Published: 13 January 2021

snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
snapd
Launchpad, Ubuntu, Debian
groovy Ignored
(end of life)
trusty
Released (2.54.3+14.04~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
impish
Released (2.54.3+21.10.1)
xenial
Released (2.54.3+16.04~esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
upstream
Released (2.54.3)
bionic
Released (2.54.3+18.04)
focal
Released (2.54.3+20.04)
hirsute Ignored
(end of life)
Patches:
upstream: https://github.com/snapcore/snapd/pull/9841
upstream: https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85
upstream: https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N