{"id":"USN-4661-1","summary":"snapcraft vulnerability","details":"It was discovered that Snapcraft includes the current directory when\nconfiguring LD_LIBRARY_PATH for application commands. If a user were\ntricked into installing a malicious snap or downloading a malicious\nlibrary, under certain circumstances an attacker could exploit this to\naffect strict mode snaps that have access to the library and when\nlaunched from the directory containing the library.\n","modified":"2026-02-10T04:42:00Z","published":"2020-12-03T18:35:20Z","related":["UBUNTU-CVE-2020-27348"],"upstream":["CVE-2020-27348","UBUNTU-CVE-2020-27348"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4661-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-27348"},{"type":"REPORT","url":"https://launchpad.net/bugs/1901572"}],"affected":[{"package":{"name":"snapcraft","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/snapcraft@2.43.1+16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.43.1+16.04.1"}]}],"versions":["0.3","0.4","0.5","0.6","1.0","2.0","2.0.1","2.1","2.1.1","2.2","2.2.1","2.2.2","2.3.1","2.3.2","2.4","2.5","2.6","2.6.1","2.7","2.8","2.8.1","2.8.2","2.8.3","2.8.4","2.8.8b","2.9","2.10.1","2.11","2.12","2.12.1","2.13.1","2.14","2.15.1","2.16","2.17","2.18.1","2.19","2.20","2.21","2.22.1","2.23","2.24","2.25","2.26","2.27","2.27.1","2.28","2.29","2.31","2.33","2.34","2.35","2.39.2","2.39.3","2.39.3+really2.35","2.40","2.41","2.42","2.42.1","2.43","2.43.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"snapcraft","binary_version":"2.43.1+16.04.1"},{"binary_name":"snapcraft-examples","binary_version":"2.43.1+16.04.1"},{"binary_name":"snapcraft-parser","binary_version":"2.43.1+16.04.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4661-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2020-27348"}],"ecosystem":"Ubuntu:16.04:LTS"}}},{"package":{"name":"snapcraft","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/snapcraft@2.43.1+18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.43.1+18.04.1"}]}],"versions":["2.34+17.10","2.39.2+18.04.2","2.40+18.04.1","2.40+18.04.3","2.41+18.04.1","2.41+18.04.2","2.42+18.04.2","2.42.1+18.04","2.43+18.04","2.43.1+18.04"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"snapcraft","binary_version":"2.43.1+18.04.1"},{"binary_name":"snapcraft-examples","binary_version":"2.43.1+18.04.1"},{"binary_name":"snapcraft-parser","binary_version":"2.43.1+18.04.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4661-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2020-27348"}],"ecosystem":"Ubuntu:18.04:LTS"}}}],"schema_version":"1.7.3"}