CVSS: 6.5EPSS: 0%CPEs: 175EXPL: 1CVE-2021-3709 – Apport file permission bypass through emacs byte compilation errors
https://notcve.org/view.php?id=CVE-2021-3709
Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3; La función check_attachment_for_errors() en el archivo data/general-hooks/ubuntu.py podría ser engañada para exponer datos privados por medio de un archivo de bloqueo construido. Este problema afecta a: las versiones de apport 2.14.1 anteriores a 2.14.1-0ubuntu3.29+esm8; versiones 2.20.1 anteriores a 2.20.1-0ubuntu2.30+esm2; versiones 2.20.9 anteriores a 2.20.9-0ubuntu7.26; versiones 2.20.11 anteriores a 2.20.11-0ubuntu27.20; versiones 2.20.11 anteriores a 2.20.11-0ubuntu65.3; • https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1934308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3709 https://ubuntu.com/security/notices/USN-5077-1 https://ubuntu.com/security/notices/USN-5077-2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 1CVE-2021-32557 – apport process_report() arbitrary file write
https://notcve.org/view.php?id=CVE-2021-32557
It was discovered that the process_report() function in data/whoopsie-upload-all allowed arbitrary file writes via symlinks. Se ha detectado que la función process_report() en la ruta data/whoopsie-upload-all permitía la escritura arbitraria de archivos por medio de enlaces simbólicos • https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 3.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-32556 – apport get_modified_conffiles() function command injection
https://notcve.org/view.php?id=CVE-2021-32556
It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py allowed injecting modified package names in a manner that would confuse the dpkg(1) call. Se ha detectado que la función get_modified_conffiles() en el archivo backends/packaging-apt-dpkg.py permitía inyectar nombres de paquetes modificados de forma que se confundía la llamada a dpkg(1) • https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-25683 – apport improperly parses /proc/pid/stat
https://notcve.org/view.php?id=CVE-2021-25683
It was discovered that the get_starttime() function in data/apport did not properly parse the /proc/pid/stat file from the kernel. Se descubrió que la función get_starttime() en data/apport no analizaba correctamente el archivo /proc/pid/stat del kernel • https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1912326 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-25682 – apport improperly parses /proc/pid/status
https://notcve.org/view.php?id=CVE-2021-25682
It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel. Se descubrió que la función get_pid_info() en data/apport no analizaba correctamente el archivo /proc/pid/status del kernel • https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1912326 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •