CVE-2019-8308
HIGHflatpak < 1.0.7 and 1.1.x-1.2.x < 1.2.3 - Arbitrary File Modification via /proc Exposure
Title source: llmDescription
Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.
References (5)
Core 5
Core References
Issue Tracking, Mailing List, Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059
Third Party Advisory x_refsource_misc
https://github.com/flatpak/flatpak/releases/tag/1.2.3
Third Party Advisory x_refsource_misc
https://github.com/flatpak/flatpak/releases/tag/1.0.7
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0375
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00088.html
Scores
CVSS v3
8.2
EPSS
0.0006
EPSS Percentile
19.9%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-668
Status
published
Products (9)
debian/debian_linux
9.0
debian/debian_linux
10.0
flatpak/flatpak
< 1.0.7
redhat/enterprise_linux_desktop
7.0
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_server_aus
7.6
redhat/enterprise_linux_server_eus
7.6
redhat/enterprise_linux_server_tus
7.6
redhat/enterprise_linux_workstation
7.0
Published
Feb 12, 2019
Tracked Since
Feb 18, 2026