LXD before 2.0.2 does not properly set permissions when switching an unprivileged container into privileged mode, which allows local users to access arbitrary world readable paths in the container. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs.img when setting up a loop based ZFS pool, which allows local users to copy and read data from arbitrary containers via. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.