Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
snapd will follow archived symlinks when unpacking a filesystem
Vulnerability Description
In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Vulnerability Type
资源在另一范围的外部可控制索引
Vulnerability Title
snapd 安全漏洞
Vulnerability Description
snapd是snapcore开源的一个跨平台的包管理工具。使系统能够使用.snap文件。 snapd 2.62之前版本存在安全漏洞,该漏洞源于未能正确检查符号链接的目标,可能允许非特权用户访问特权信息。
CVSS Information
N/A
Vulnerability Type
N/A