Lucene search

CanonicalCVE-2020-16123

HistoryDec 04, 2020 - 12:15 a.m.

CVE-2020-16123

2020-12-0400:15:11

CWE-362

canonical

web.nvd.nist.gov

154

cve-2020-16123

ubuntu

pulseaudio

patch

race condition

snap

confinement

vulnerability

security fix

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

4.5

Confidence

High

EPSS

0.001

Percentile

18.0%

JSON

An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. Fixed in 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15.

Affected configurations

Nvd

Node

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch20.04lts

canonicalubuntu_linuxMatch20.10

VendorProductVersionCPE
canonicalubuntu_linux16.04cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
canonicalubuntu_linux18.04cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
canonicalubuntu_linux20.04cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
canonicalubuntu_linux20.10cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
canonical	ubuntu_linux	16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
canonical	ubuntu_linux	18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
canonical	ubuntu_linux	20.04	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::
canonical	ubuntu_linux	20.10	cpe:2.3:o:canonical:ubuntu_linux:20.10:::::::*

CNA Affected

[
  {
    "product": "pulseaudio",
    "vendor": "Canonical",
    "versions": [
      {
        "lessThan": "1:13.99.3-1ubuntu2",
        "status": "affected",
        "version": "1:13.99.3-1",
        "versionType": "custom"
      },
      {
        "lessThan": "1:13.99.2-1ubuntu2.1",
        "status": "affected",
        "version": "1:13.99.2-1",
        "versionType": "custom"
      },
      {
        "lessThan": "1:13.99.1-1ubuntu3.8",
        "status": "affected",
        "version": "1:13.99.1-1",
        "versionType": "custom"
      },
      {
        "lessThan": "1:11.1-1ubuntu7.11",
        "status": "affected",
        "version": "1:11.1-1",
        "versionType": "custom"
      },
      {
        "lessThan": "1:8.0-0ubuntu3.15",
        "status": "affected",
        "version": "1:8.0-0",
        "versionType": "custom"
      }
    ]
  }
]