CVE-2020-27352 - Vulnerability Details - OpenCVE

When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Snapd Ubuntu Linux

Configuration 1 [-]

cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:20.10:::::::*

No data.

References

Link	Providers
https://bugs.launchpad.net/snapd/+bug/1910456
https://ubuntu.com/security/notices/USN-4728-1
https://www.cve.org/CVERecord?id=CVE-2020-27352

History

Tue, 26 Aug 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canonical Canonical snapd Canonical ubuntu Linux
CPEs		cpe:2.3:a:canonical:snapd:::::::: cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:20.10:::::::*
Vendors & Products		Canonical Canonical snapd Canonical ubuntu Linux

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2024-06-21T20:06:37.992Z

Updated: 2024-08-04T16:11:36.612Z

Reserved: 2020-10-20T00:00:00.000Z

Link: CVE-2020-27352

Vulnrichment

Updated: 2024-08-04T16:11:36.612Z

NVD

Status : Analyzed

Published: 2024-06-21T20:15:10.630

Modified: 2025-08-26T17:20:35.680

Link: CVE-2020-27352

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2020-27352", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2020-10-20T00:00:00.000Z", "datePublished": "2024-06-21T20:06:37.992Z", "dateUpdated": "2024-08-04T16:11:36.612Z"}, "containers": {"cna": {"affected": [{"packageName": "snapd", "product": "snapd", "vendor": "Canonical Ltd.", "repo": "https://github.com/snapcore/snapd", "platforms": ["Linux"], "versions": [{"lessThan": "2.48.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended."}], "references": [{"tags": ["issue-tracking"], "url": "https://bugs.launchpad.net/snapd/+bug/1910456"}, {"tags": ["vendor-advisory"], "url": "https://ubuntu.com/security/notices/USN-4728-1"}, {"tags": ["issue-tracking"], "url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"}], "credits": [{"lang": "en", "type": "finder", "value": "Gilad Reti"}, {"lang": "en", "type": "finder", "value": "Nimrod Stoler"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.3, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-06-21T20:06:37.992Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "affected": [{"vendor": "canonical", "product": "snapd", "cpes": ["cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.48.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T13:14:07.392127Z", "id": "CVE-2020-27352", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T20:56:52.326Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.612Z"}, "title": "CVE Program Container", "references": [{"tags": ["issue-tracking", "x_transferred"], "url": "https://bugs.launchpad.net/snapd/+bug/1910456"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://ubuntu.com/security/notices/USN-4728-1"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.launchpad.net/snapd/+bug/1910456", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://ubuntu.com/security/notices/USN-4728-1", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352", "tags": ["issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.612Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-27352", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-05T13:14:07.392127Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*"], "vendor": "canonical", "product": "snapd", "versions": [{"status": "affected", "version": "0", "lessThan": "2.48.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:44:54.720Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Gilad Reti"}, {"lang": "en", "type": "finder", "value": "Nimrod Stoler"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"repo": "https://github.com/snapcore/snapd", "vendor": "Canonical Ltd.", "product": "snapd", "versions": [{"status": "affected", "version": "0", "lessThan": "2.48.3", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "snapd"}], "references": [{"url": "https://bugs.launchpad.net/snapd/+bug/1910456", "tags": ["issue-tracking"]}, {"url": "https://ubuntu.com/security/notices/USN-4728-1", "tags": ["vendor-advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended."}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-06-21T20:06:37.992Z"}}}, "cveMetadata": {"cveId": "CVE-2020-27352", "state": "PUBLISHED", "dateUpdated": "2024-08-04T16:11:36.612Z", "dateReserved": "2020-10-20T00:00:00.000Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2024-06-21T20:06:37.992Z", "assignerShortName": "canonical"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC75BCAC-E8EB-4E75-AFAE-A66E88CF2590", "versionEndExcluding": "2.48.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*", "matchCriteriaId": "338B3AAC-C147-4A31-95E7-6E8A6FB4B3FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended."}, {"lang": "es", "value": "Al generar las unidades de servicio systemd para el complemento de Docker (y otros complementos similares), snapd no especifica Delegate=yes; como resultado, systemd mover\u00e1 los procesos de los contenedores creados y administrados por estos complementos al grupo c del daemon principal dentro del se rompe al recargar las unidades del sistema. Esto puede otorgar privilegios adicionales a un contenedor dentro del complemento que no estaban previstos originalmente."}], "id": "CVE-2020-27352", "lastModified": "2025-08-26T17:20:35.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-21T20:15:10.630", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugs.launchpad.net/snapd/+bug/1910456"}, {"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4728-1"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugs.launchpad.net/snapd/+bug/1910456"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4728-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2020-27352"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}