CVE-2021-3710 Apport info disclosure via path traversal bug in read_file

2021-10-0102:35:22

CWE-24

canonical

www.cve.org

information disclosure

path traversal

apport 2.14.1

apport 2.20.1

apport 2.20.9

apport 2.20.11

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

27.8%

JSON

An information disclosure via path traversal was discovered in apport/hookutils.py function read_file(). This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;

CNA Affected

[
  {
    "product": "apport",
    "vendor": "Canonical",
    "versions": [
      {
        "lessThan": "2.14.1-0ubuntu3.29+esm8",
        "status": "affected",
        "version": "2.14.1",
        "versionType": "custom"
      },
      {
        "lessThan": "2.20.1-0ubuntu2.30+esm2",
        "status": "affected",
        "version": "2.20.1",
        "versionType": "custom"
      },
      {
        "lessThan": "2.20.9-0ubuntu7.26",
        "status": "affected",
        "version": "2.20.9",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "2.20.11-0ubuntu65.3",
            "status": "unaffected"
          }
        ],
        "lessThan": "2.20.11-0ubuntu27.20",
        "status": "affected",
        "version": "2.20.11",
        "versionType": "custom"
      }
    ]
  }
]