CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
13.7%
A sandbox escape vulnerability was found in Flatpak due to a symlink-following issue when mounting persistent directories. This flaw allows a local user or attacker to craft a symbolic link that can bypass the intended restrictions, enabling access to and modification of files outside the designated sandbox. As a result, the attacker could potentially manipulate the file system, leading to unauthorized actions that compromise the security and integrity of the system.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
bugzilla.redhat.com/show_bug.cgi?id=2305202
github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c
github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5
github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72
github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a
github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75
github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97
github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788
github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19
github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87
nvd.nist.gov/vuln/detail/CVE-2024-42472
www.cve.org/CVERecord?id=CVE-2024-42472