CVE-2021-3155

Publication date 13 January 2021

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

Status

Show unmaintained releases

Package	Ubuntu Release	Status
snapd	21.10 impish	Fixed 2.54.3+21.10.1
	21.04 hirsute	Ignored end of life
	20.10 groovy	Ignored end of life
	20.04 LTS focal	Fixed 2.54.3+20.04
	18.04 LTS bionic	Fixed 2.54.3+18.04
	16.04 LTS xenial	Fixed 2.54.3+16.04~esm2 Ubuntu Pro
	14.04 LTS trusty	Fixed 2.54.3+14.04~esm1 Ubuntu Pro

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
snapd	Upstream: https://github.com/snapcore/snapd/pull/9841 Upstream: 6bcaeec Upstream: 7d2a966

Severity score breakdown

Parameter	Value
Base score	5.5 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-5292-1
snapd vulnerabilities
17 February 2022

USN-5292-2
snapd vulnerabilities
18 February 2022

USN-5292-3
snapd vulnerabilities
18 February 2022

Other references

https://www.cve.org/CVERecord?id=CVE-2021-3155