CVE-2020-11933

HIGH

snapd < 2.45.2 - Unauthenticated Arbitrary System Modification via Cloud-Init User-Data

Title source: llm

Description

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://launchpad.net/bugs/1879530

Vendor Advisory x_refsource_confirm

https://ubuntu.com/USN-4424-1

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 7.7%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-264

Status published

Products (5)

canonical/snapd < 2.45.2

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.10

canonical/ubuntu_linux 20.04

Published Jul 29, 2020

Tracked Since Feb 18, 2026