PYSEC-2020-109

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/snapcraft/PYSEC-2020-109.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2020-109

Aliases

CVE-2020-27348
GHSA-qxm5-vx5j-pp6w

Published

2020-12-04T03:15:00Z

Modified

2024-04-22T23:12:35.992016Z

Summary

[none]

Details

In some conditions, a snap package built by snapcraft includes the current directory in LDLIBRARYPATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.

References

https://usn.ubuntu.com/usn/usn-4661-1
https://github.com/snapcore/snapcraft/pull/3345
https://bugs.launchpad.net/bugs/1901572

Affected packages

PyPI / snapcraft

Package

Name: snapcraft; View open source insights on deps.dev
Purl: pkg:pypi/snapcraft

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.43.1

Affected versions

2.*

2.33

2.39

2.40.1

2.41

2.42

2.43