CVE-2021-4120

Published: 17 February 2022

snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

Priority

CVSS 3 base score: 8.2

Status

Package	Release	Status
snapd Launchpad, Ubuntu, Debian	bionic	Released (2.54.3+18.04)
	focal	Released (2.54.3+20.04)
	hirsute	Ignored (reached end-of-life)
	impish	Released (2.54.3+21.10.1)
	trusty	Released (2.54.3+14.04~esm1)
	upstream	Released (2.54.3)
	xenial	Released (2.54.3+16.04~esm2)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4120
https://ubuntu.com/security/notices/USN-5292-1
https://www.openwall.com/lists/oss-security/2022/02/18/2
https://github.com/snapcore/snapd/commit/f3f669d720ed8b0bcb73da7789843bf43b5c16cf
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/snapd/+bug/1949368

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›