Flatpak
CVE-2018-6560
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
AnalysisAI
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-436. In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon. Affected products include: Flatpak, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus. Version information: before 0.8.9.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Sandbox escape in Flatpak versions prior to 1.16.4 allows applications to access arbitrary host filesystem paths and ach
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Rated critical sever
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity
Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows at
In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated medium severi
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated medium severi
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today