Vulnerability CVE-2021-4120: Information

Description

snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-4120

Published: Feb. 18, 2022

Modified: Nov. 7, 2023

Error type identifier: CWE-20

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
snapd	sisyphus	2.54.3-alt1	2.61.3-alt1.1	ALT-PU-2022-1345-1	295710	Fixed
snapd	p10	2.54.3-alt1	2.56-alt1	ALT-PU-2022-1765-1	299035	Fixed
snapd	c10f1	2.54.3-alt1	2.56-alt1	ALT-PU-2022-1765-1	299035	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://ubuntu.com/security/notices/USN-5292-1	Patch Vendor Advisory
FEDORA-2022-5df8b52ba4
FEDORA-2022-82bea71e5a
[oss-security] 20220218 CVE-2021-4120: Insufficient validation of snap content interface and layout paths	Exploit Mailing List Third Party Advisory
https://bugs.launchpad.net/snapd/+bug/1949368	Exploit Issue Tracking Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*
  End including
  2.54.2
  
  Configuration 2
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Version: v24.5.0

Vulnerability CVE-2021-4120: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3