Sandbox Escape Vulnerability in Flatpak by Developing Community
CVE-2018-6560

8.8HIGH

Key Information:

Vendor

Flatpak

Status
Flatpak
Vendor
CVE Published:
2 February 2018

What is CVE-2018-6560?

A vulnerability exists in the D-Bus message handling of Flatpak prior to version 0.8.9 and versions 0.9.x and 0.10.x before 0.10.3. This flaw allows crafted D-Bus messages directed at the host to escape the intended sandbox environment due to inconsistent handling of whitespace between the proxy and the daemon. This can potentially lead to unauthorized access or execution of unintended commands.

References

https://github.com/flatpak/flatpak/commit/52346bf187b5a7f...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2766
vendor-advisoryx_refsource_REDHAT
https://github.com/flatpak/flatpak/releases/tag/0.10.3
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.