PT-2019-4188 · Flatpak+4 · Flatpak+4

Simon Mcvittie

Published

2019-02-11

Updated

2021-05-06

CVE-2019-8308

CVSS v3.1

8.2

High

Vector

AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.0.7 Flatpak versions 1.1.x Flatpak versions 1.2.x prior to 1.2.3

Description The issue is related to errors in handling file descriptors in the Flatpak application and environment management tool. Exploitation of this issue may allow an attacker to modify arbitrary executable files on the host side by running the apply extra script. The vulnerability exposes /proc in the apply extra script sandbox, which enables attackers to modify a host-side executable file.

Recommendations For Flatpak versions prior to 1.0.7, update to version 1.0.7 or later. For Flatpak versions 1.1.x, update to version 1.2.3 or later. For Flatpak versions 1.2.x prior to 1.2.3, update to version 1.2.3 or later. As a temporary workaround, consider restricting access to the apply extra script until a patch is available.

Fix

RCE

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-672CWE-20CWE-668

Related Identifiers

ALT-PU-2019-1597

BDU:2019-04784

CESA-2019_0375

CVE-2019-8308

DSA-4390-1

OESA-2021-1149

OPENSUSE-SU-2019:2038-1

OPENSUSE-SU-2019_2038-1

RHSA-2019:0375

RHSA-2019_0375

SUSE-SU-2019:2185-1

Affected Products

Alt Linux

Centos

Flatpak

Red Hat

Suse

PT-2019-4188 · Flatpak+4 · Flatpak+4

CVE-2019-8308

Weakness Enumeration

Related Identifiers

Affected Products

References · 31