CVE-2019-11502

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-11502
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11502.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-11502
Downstream
Published
2019-04-24T21:29:00.727Z
Modified
2026-04-11T08:55:49.469078Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.

References

Affected packages

Git / github.com/canonical/snapd

Affected ranges

Type
GIT
Repo
https://github.com/canonical/snapd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bdbfeebef03245176ae0dc323392bb0522a339b1
Type
GIT
Repo
https://github.com/snapcore/snapd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7d3222250d98ff1baf8ad4e7df283b40a35d960c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.38"
        }
    ]
}

Affected versions

1.*
1.0-0ubuntu1
1.0.1-0ubuntu1
1.1-0ubuntu1
1.1.1-0ubuntu1
1.1.2-0ubuntu1
1.2-0ubuntu1
1.3ubuntu1
1.4ubuntu1
1.5ubuntu1
1.6ubuntu1
1.7.2+20160113ubuntu1
1.7.2+20160204ubuntu1
1.7.2+20160223ubuntu1
1.7.2ubuntu1
1.7.3+20160225ubuntu1
1.7.3+20160303ubuntu1
1.7.3+20160303ubuntu2
1.7.3+20160303ubuntu3
1.7.3+20160303ubuntu4
1.7.3+20160308ubuntu1
1.7.3+20160310ubuntu1
1.7ubuntu1
1.9
1.9.1
1.9.2
1.9.3
1.9.4
2.*
2.0
2.0.10
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.11
2.12
2.13
2.14
2.14.1
2.14.2.16.04
2.15
2.15.2
Other
ppa
untagged-ec50ee5bfb45daefc236

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11502.json"
vanir_signatures 
[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "80629870118532654990024381362330729372",
                "101371781945622285497748159635936577080",
                "322597601003821604597222624349776471939",
                "84821306985463495152566510281719110925",
                "205905254880683975809761695808606306858",
                "50781503155836797469799172791014584023",
                "120699212488770246540301032009732872720",
                "144277327580451828608853779171411054340",
                "34969756412605529433195565125938965937"
            ]
        },
        "id": "CVE-2019-11502-eb43d5a9",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/canonical/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1",
        "target": {
            "file": "cmd/snap-confine/mount-support.c"
        }
    },
    {
        "digest": {
            "length": 1096.0,
            "function_hash": "103528218796108804593946689608972279266"
        },
        "id": "CVE-2019-11502-feca1969",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/canonical/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1",
        "target": {
            "function": "setup_private_mount",
            "file": "cmd/snap-confine/mount-support.c"
        }
    }
]
vanir_signatures_modified 
"2026-04-11T08:55:49Z"