8.8

CVE-2018-6560

In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FlatpakFlatpak Version < 0.8.9
FlatpakFlatpak Version >= 0.9.1 <= 0.9.99
FlatpakFlatpak Version >= 0.10.0 < 0.10.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.42% 0.334
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2 6
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 4.6 3.9 6.4
AV:L/AC:L/Au:N/C:P/I:P/A:P
CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

https://access.redhat.com/errata/RHSA-2018:2766
Third Party Advisory
https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
Patch
Vendor Advisory
https://github.com/flatpak/flatpak/releases/tag/0.10.3
Release Notes
https://github.com/flatpak/flatpak/releases/tag/0.8.9
Release Notes