CVE-2019-8308

HIGH

Flatpak < 1.0.7 - Exposure to Wrong Actor

Title source: rule

Description

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.

References (5)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0375

[Issue Tracking, Mailing List, Third Party Advisory] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059

[Third Party Advisory] https://github.com/flatpak/flatpak/releases/tag/1.0.7

[Third Party Advisory] https://github.com/flatpak/flatpak/releases/tag/1.2.3

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00088.html

Scores

CVSS v3 8.2

EPSS 0.0006

EPSS Percentile 19.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-668

Status published

Affected Products (9)

flatpak/flatpak < 1.0.7

debian/debian_linux

redhat/enterprise_linux_desktop

redhat/enterprise_linux_server

redhat/enterprise_linux_server_aus

redhat/enterprise_linux_server_eus

redhat/enterprise_linux_server_tus

redhat/enterprise_linux_workstation

Timeline

Published Feb 12, 2019

Tracked Since Feb 18, 2026