CVE-2019-8308

Impact:
Important
Public Date:
2019-02-11
CWE:
CWE-672
Bugzilla:
1675070: CVE-2019-8308 flatpak: potential /proc based sandbox escape

The MITRE CVE dictionary describes this issue as:

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.

Find out more about CVE-2019-8308 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This flaw appears to impact systems in special cases involving installing flatpak applications and runtimes system-wide. Installation of flatpak applications and runtimes locally should not be impacted.

CVSS v3 metrics

CVSS3 Base Score 7.7
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (flatpak) RHSA-2019:0375 2019-02-19

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 8 flatpak Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation