CVE-2020-27348 MEDIUM

CVE-2020-27348: snapcraft may build snaps with incorrect LD_LIBRARY_PATH

Vendor Canonical
Product snapcraft
Weakness CWE-427
Published December 4, 2020
Last update September 16, 2024

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.

Key dates

02Disclosure timeline

December 4, 2020 CVE published
September 16, 2024 Record updated