PT-2019-4188 · Flatpak+4 · Flatpak+4

Simon Mcvittie

Publicado

2019-02-11

Atualizado

2021-05-06

CVE-2019-8308

CVSS v3.1

8.2

Alta

Vetor

AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.0.7 Flatpak versions 1.1.x Flatpak versions 1.2.x prior to 1.2.3

Description The issue is related to errors in handling file descriptors in the Flatpak application and environment management tool. Exploitation of this issue may allow an attacker to modify arbitrary executable files on the host side by running the apply extra script. The vulnerability exposes /proc in the apply extra script sandbox, which enables attackers to modify a host-side executable file.

Recommendations For Flatpak versions prior to 1.0.7, update to version 1.0.7 or later. For Flatpak versions 1.1.x, update to version 1.2.3 or later. For Flatpak versions 1.2.x prior to 1.2.3, update to version 1.2.3 or later. As a temporary workaround, consider restricting access to the apply extra script until a patch is available.

Correção

RCE

Exposure of Resource to Wrong Sphere

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-672CWE-20CWE-668

Identificadores relacionados

ALT-PU-2019-1597

BDU:2019-04784

CESA-2019_0375

CVE-2019-8308

DSA-4390-1

OESA-2021-1149

OPENSUSE-SU-2019:2038-1

OPENSUSE-SU-2019_2038-1

RHSA-2019:0375

RHSA-2019_0375

SUSE-SU-2019:2185-1

Produtos afetados

Alt Linux

Centos

Flatpak

Red Hat

Suse

PT-2019-4188 · Flatpak+4 · Flatpak+4

CVE-2019-8308

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 31