Lucene search

K
gentooGentoo FoundationGLSA-202411-02
HistoryNov 06, 2024 - 12:00 a.m.

Flatpak: Sandbox Escape

2024-11-0600:00:00
Gentoo Foundation
security.gentoo.org
1
flatpak
linux
sandboxing
vulnerability
escape
directory access
upgrade

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

6.9

Confidence

Low

Background

Flatpak is a Linux application sandboxing and distribution framework.

Description

A vulnerability has been discovered in Flatpak. Please review the CVE identifier referenced below for details.

Impact

A malicious or compromised Flatpak app using persistent directories could read and write files in locations it would not normally have access to.

Workaround

There is no known workaround at this time.

Resolution

All Flatpak users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.4.10"
OSVersionArchitecturePackageVersionFilename
Gentooanyallsys-apps/flatpak< 1.4.10UNKNOWN

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

6.9

Confidence

Low