Description
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low
Affected products
- Canonical / apport2.20.1 – 2.20.1-0ubuntu2.30+esm1
- Canonical / apport2.20.9 – 2.20.9-0ubuntu7.24
- Canonical / apport2.20.11-0ubuntu27 – 2.20.11-0ubuntu27.18
- Canonical / apport2.20.11-0ubuntu50 – 2.20.11-0ubuntu50.7
- Canonical / apport2.20.11-0ubuntu65 – 2.20.11-0ubuntu65.1
- Canonical / apport2.14.1-0ubuntu3 – 2.14.1-0ubuntu3.29+esm7