CVE-2021-4120

snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

Published: Feb 18, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-4120
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
canonical / snapd	-	2.54.2.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	21.10	21.10.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x

http://www.openwall.com/lists/oss-security/2022/02/18/2
https://bugs.launchpad.net/snapd/+bug/1949368
https://lists.fedoraproject.org/archives/list/[email protected]/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
https://lists.fedoraproject.org/archives/list/[email protected]/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
https://ubuntu.com/security/notices/USN-5292-1

Vulnerability Database

289,599

CVE-2021-4120