Impact: Important Public Date: 2019-02-11 CWE: CWE-672 Bugzilla: 1675070: CVE-2019-8308 flatpak: potential /proc based sandbox escape Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-8308 from the MITRE CVE dictionary dictionary and NIST NVD.
This flaw appears to impact systems in special cases involving installing flatpak applications and runtimes system-wide. Installation of flatpak applications and runtimes locally should not be impacted.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.7 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Attack Vector | Local |
Attack Complexity | High |
Privileges Required | None |
User Interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Package | State |
---|---|---|
Red Hat Enterprise Linux 7 | flatpak | Affected |