CVE-2019-8308

CWE-668 — Exposure to Wrong Sphere CWE-6728 documents7 sources

Severity

8.2HIGH

EPSS

0.1%

top 80.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flatpak Flatpak Debian Debian Linux Redhat Enterprise Linux Desktop +5 more

Timeline

PublishedFeb 12

Latest updateMay 13

Description

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages5 packages

▶NVDflatpak/flatpak1.1.0 — 1.1.3+2

▶Debianflatpak< 1.2.3-1+3

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Debian Linux 10.0, 9.0, Enterprise Linux 7.6

🔴Vulnerability Details

GHSA

GHSA-26wh-22xw-qfqx: Flatpak before 1↗2022-05-13

▶

OSV

CVE-2019-8308: Flatpak before 1↗2019-02-12

▶

CVEList

CVE-2019-8308: Flatpak before 1↗2019-02-12

▶

📋Vendor Advisories

Red Hat

flatpak: potential /proc based sandbox escape↗2019-02-11

▶

Debian

CVE-2019-8308: flatpak - Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the app...↗2019

▶

💬Community

Bugzilla

CVE-2019-8308 flatpak: potential /proc based sandbox escape [fedora-all]↗2019-02-11

▶

Bugzilla

CVE-2019-8308 flatpak: potential /proc based sandbox escape↗2019-02-11

▶