QwikSec

Security Database

CVE

CWE

Training

CVE-2021-44730

Published: Feb 17, 2022

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

Vendor	Product	Versions
Canonical Ltd.	snapd	affected `unspecified - <= 2.54.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://ubuntu.com/security/notices/USN-5292-1

x_refsource_MISC

[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths

mailing-list

x_refsource_MLIST

FEDORA-2022-82bea71e5a

vendor-advisory

x_refsource_FEDORA

FEDORA-2022-5df8b52ba4

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_DEBIAN

[oss-security] 20220223 Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount()

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.