CVE-2023-1523
moderate-risk
Published 2023-09-01
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.
Do I need to act?
-
0.12% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 8a7cdf2bb7d0874b8d6383c35d0971f7e498bbe4
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (7)
Affected Vendors
References (8)
Third Party Advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523
Issue Tracking
https://github.com/snapcore/snapd/pull/12849
Third Party Advisory
https://ubuntu.com/security/notices/USN-6125-1
Third Party Advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523
Issue Tracking
https://github.com/snapcore/snapd/pull/12849
Third Party Advisory
https://ubuntu.com/security/notices/USN-6125-1
48
/ 100
moderate-risk
Severity
33/34 · Critical
Exploitability
1/34 · Minimal
Exposure
14/34 · Moderate