CVE-2020-27348

Summary

In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.

Affected Software

VendorProductVersion RangeStatus
Canonicalsnapcraft4.4 < 4.4.4affected
Canonicalsnapcraft2.43.1 < 2.43.1+16.04.1affected

Weaknesses

  • CWE-427: CWE-427 Uncontrolled Search Path Element

ADP Enrichment

CVE Program Container

Additional References

References