CVE-2016-1587 HIGH

CVE-2016-1587

Vendor Ubuntu
Product snapweb
Published April 22, 2019
Last update September 16, 2024

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection. An attacker could have used the controls to remotely add a valid, but malicious, snap package, from the Store, potentially using system resources without permission from the legitimate administrator of the system.

Key dates

02Disclosure timeline

April 22, 2019 CVE published
September 16, 2024 Record updated