pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
43c7060749
vuln-list-alt/oval/p11/ALT-PU-2022-1345/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

173 lines
7.9 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20221345",
"Version": "oval:org.altlinux.errata:def:20221345",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2022-1345: package `snapd` update to version 2.54.3-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2022-1345",
"RefURL": "https://errata.altlinux.org/ALT-PU-2022-1345",
"Source": "ALTPU"
},
{
"RefID": "BDU:2022-01444",
"RefURL": "https://bdu.fstec.ru/vul/2022-01444",
"Source": "BDU"
},
{
"RefID": "BDU:2022-01445",
"RefURL": "https://bdu.fstec.ru/vul/2022-01445",
"Source": "BDU"
},
{
"RefID": "BDU:2022-01460",
"RefURL": "https://bdu.fstec.ru/vul/2022-01460",
"Source": "BDU"
},
{
"RefID": "CVE-2021-3155",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3155",
"Source": "CVE"
},
{
"RefID": "CVE-2021-4120",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-4120",
"Source": "CVE"
},
{
"RefID": "CVE-2021-44730",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-44730",
"Source": "CVE"
},
{
"RefID": "CVE-2021-44731",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-44731",
"Source": "CVE"
}
],
"Description": "This update upgrades snapd to version 2.54.3-alt1. \nSecurity Fix(es):\n\n * BDU:2022-01444: Уязвимость утилиты для управления самодостаточными пакетами snapd, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю повысить свои привилегии в системе и выполнить произвольный код\n\n * BDU:2022-01445: Уязвимость утилиты для управления самодостаточными пакетами snapd, связанная с ошибками выполнения многопоточных задач, позволяющая нарушителю выполнить произвольный код с привилегиями root\n\n * BDU:2022-01460: Уязвимость утилиты для управления самодостаточными пакетами snapd, связанная с ошибками жестких ссылок, позволяющая нарушителю повысить свои привилегии\n\n * CVE-2021-3155: snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1\n\n * CVE-2021-4120: snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1\n\n * CVE-2021-44730: snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1\n\n * CVE-2021-44731: A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2022-02-20"
},
"Updated": {
"Date": "2022-02-20"
},
"BDUs": [
{
"ID": "BDU:2022-01444",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"CWE": "CWE-20",
"Href": "https://bdu.fstec.ru/vul/2022-01444",
"Impact": "High",
"Public": "20220221"
},
{
"ID": "BDU:2022-01445",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"CWE": "CWE-362",
"Href": "https://bdu.fstec.ru/vul/2022-01445",
"Impact": "High",
"Public": "20220221"
},
{
"ID": "BDU:2022-01460",
"CVSS": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"CWE": "CWE-62",
"Href": "https://bdu.fstec.ru/vul/2022-01460",
"Impact": "High",
"Public": "20220221"
}
],
"CVEs": [
{
"ID": "CVE-2021-3155",
"CVSS": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-276",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3155",
"Impact": "Low",
"Public": "20220217"
},
{
"ID": "CVE-2021-4120",
"CVSS": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-4120",
"Impact": "High",
"Public": "20220217"
},
{
"ID": "CVE-2021-44730",
"CVSS": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"CWE": "CWE-59",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-44730",
"Impact": "High",
"Public": "20220217"
},
{
"ID": "CVE-2021-44731",
"CVSS": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"CWE": "CWE-362",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-44731",
"Impact": "High",
"Public": "20220217"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20221345001",
"Comment": "snap-confine is earlier than 0:2.54.3-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20221345002",
"Comment": "snapd is earlier than 0:2.54.3-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink