Security Flaw in Flatpak Versions Prior to 1.0.7 and 1.2.3 Exposes Host Files
CVE-2019-8308

8.2HIGH

Key Information:

Vendor

Flatpak

Status
Flatpak
Vendor
CVE Published:
12 February 2019

What is CVE-2019-8308?

A vulnerability in Flatpak allows the /proc filesystem to be exposed within the apply_extra script sandbox. This exposure may enable attackers to alter a host-side executable file, potentially leading to unauthorized modifications and execution of malicious code. This affects users running versions of Flatpak before 1.0.7, as well as the 1.1.x and 1.2.x series prior to 1.2.3.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059
x_refsource_MISC
https://github.com/flatpak/flatpak/releases/tag/1.2.3
x_refsource_MISC
https://github.com/flatpak/flatpak/releases/tag/1.0.7
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.