CVE-2019-8308

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
flatpakflatpak
𝑥
< 1.0.7
flatpakflatpak
1.1.0 ≤
𝑥
≤ 1.1.3
flatpakflatpak
1.2.0 ≤
𝑥
≤ 1.2.3
debiandebian_linux
9.0
debiandebian_linux
10.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_eus
7.6
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_workstation
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
flatpak
bookworm
1.14.10-1~deb12u1
fixed
bookworm (security)
1.14.10-1~deb12u1
fixed
bullseye
1.10.8-0+deb11u2
fixed
bullseye (security)
1.10.8-0+deb11u2
fixed
sid
1.14.10-1
fixed
trixie
1.14.10-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
flatpak
bionic
Fixed 1.0.7-0ubuntu0.18.04.1
released
cosmic
Fixed 1.0.7-0ubuntu0.18.10.1
released
trusty
dne
xenial
dne
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
flatpak
RHEL 7
0:1.0.2-4.el7_6
fixed
flatpak-builder
RHEL 7
0:1.0.0-4.el7_6
fixed
flatpak-devel
RHEL 7
0:1.0.2-4.el7_6
fixed
flatpak-libs
RHEL 7
0:1.0.2-4.el7_6
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00088.html
https://access.redhat.com/errata/RHSA-2019:0375
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059
https://github.com/flatpak/flatpak/releases/tag/1.0.7
https://github.com/flatpak/flatpak/releases/tag/1.2.3
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00088.html
https://access.redhat.com/errata/RHSA-2019:0375
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059
https://github.com/flatpak/flatpak/releases/tag/1.0.7
https://github.com/flatpak/flatpak/releases/tag/1.2.3