CVE-2021-3155

Description

snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Affected products

Canonical Ltd. / snapdunspecified – 2.54.2

References

VENDOR_ADVISORYhttps://ubuntu.com/security/notices/USN-5292-1
PATCHhttps://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85
PATCHhttps://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca