CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11503
https://notcve.org/view.php?id=CVE-2019-11503
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass." snap-confine, como se incluía en snap antes de la versión 2.39, no protegía contra condiciones de carrera en enlaces simbólicos al realizar el chdir() al directorio de trabajo actual del usuario que realiza la llamada, también conocido como "cwd restore permission bypass". • http://www.openwall.com/lists/oss-security/2019/04/25/7 https://github.com/snapcore/snapd/pull/6642 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM https://www.openwall.com/lists/oss-security/2019/04/18/4 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11502
https://notcve.org/view.php?id=CVE-2019-11502
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory. snap-confine, en snap antes de la versión 2.38, establece incorrectamente la propiedad de una aplicación snap al uid y gid del usuario que realiza la primera llamada. Consecuentemente, ese usuario tiene un acceso no intencionado a un directorio /tmp privado. • http://www.openwall.com/lists/oss-security/2019/04/25/7 https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 https://www.openwall.com/lists/oss-security/2019/04/18/4 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 1CVE-2019-7303 – Snapd seccomp filter TIOCSTI ioctl bypass
https://notcve.org/view.php?id=CVE-2019-7303
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4. Una vulnerabilidad en los filtros seccomp de Canonical snapd anterior a la versión 2.37.4 permite un ajuste de modo estricto para introducir caracteres en un terminal en un host de 64 bits. Las reglas de seccomp se generaron para que coincidieran con los comandos ioctl (2) de 64 bits en una plataforma de 64 bits; sin embargo, el kernel de Linux solo utiliza los bits inferiores 32 para determinar qué comandos ioctl (2) ejecutar. • https://www.exploit-db.com/exploits/46594 https://usn.ubuntu.com/3917-1 • CWE-628: Function Call with Incorrectly Specified Arguments •
CVSS: 10.0EPSS: 10%CPEs: 5EXPL: 2CVE-2019-7304 – Local privilege escalation via snapd socket
https://notcve.org/view.php?id=CVE-2019-7304
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1. El Canonical snapd hasta la versión 2.37.1 realizó incorrectamente la validación del propietario del socket, permitiendo a un atacante ejecutar comandos arbitrarios como root. Este problema afecta a: Canonical snapd versiones anteriores a 2.37.1. • https://www.exploit-db.com/exploits/46361 https://www.exploit-db.com/exploits/46362 https://usn.ubuntu.com/3887-1 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14178
https://notcve.org/view.php?id=CVE-2017-14178
In snapd 2.27 through 2.29.2 the 'snap logs' command could be made to call journalctl without match arguments and therefore allow unprivileged, unauthenticated users to bypass systemd-journald's access restrictions. En snapd 2.27 hasta la versión 2.29.2, el comando "snap logs" podría llamar a journalctl sin argumentos match y, por lo tanto, permitir que usuarios no autenticados y sin privilegios omitan las restricciones de acceso a systemd-journald. • https://github.com/snapcore/snapd/pull/4194 https://launchpad.net/bugs/1730255 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14178.html • CWE-755: Improper Handling of Exceptional Conditions •