It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCanonical Apport
APPCanonical2.20.1-0ubuntu1 β 2.20.1-0ubuntu2.30 (bez)2.20.9-0ubuntu7 β 2.20.9-0ubuntu7.29 (bez)2.20.11-0ubuntu27 β 2.20.11-0ubuntu27.28 (bez)2.20.11-0ubuntu82 β 2.20.11-0ubuntu82.7 (bez)2.28.1-0ubuntu1 β 2.28.1-0ubuntu3.6 (bez)2.32.0-0ubuntu1 β 2.32.0-0ubuntu5.1 (bez)
π΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2022-28653HIGH7.5ten sam produkt
Users can consume unlimited disk space in /var/crash
CVE-2022-1242HIGH7.8ten sam produkt
Apport can be tricked into connecting to arbitrary sockets as the root user
CVE-2021-3899HIGH7.8ten sam produkt
There is a race condition in the 'replaced executable' detection that, with the correct local configuration, a...
CVE-2023-1326HIGH7.7ten sam produkt
A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. I...
CVE-2021-25683HIGH8.8ten sam produkt
It was discovered that the get_starttime() function in data/apport did not properly parse the /proc/pid/stat f...