CVE-2020-11934 – It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment v …

29 July 2020

Vuln ID: CVE-2020-11934

Published: 2020-07-29 17:15:12Z

Description: It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.

Source: NVD.NIST.GOV

Date:

29 July 2020

Categorie(s):

NVD

Tag(s):

NVD

No more 12345: devices with weak passwords to be banned in UK28 April 2024
20 Best Linux Password Managers in 202428 April 2024
Reliable Web App Pattern: Now Optimizes Azure Migration with Enhanced Infrastructure and Security28 April 2024
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks28 April 2024
Good Security Is About Iteration, Not Perfection.28 April 2024