7.8

CVE-2019-12439

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ProjectatomicBubblewrap Version < 0.3.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.49% 0.384
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 4.6 3.9 6.4
AV:L/AC:L/Au:N/C:P/I:P/A:P
cve@mitre.org 7.4 1.4 5.9
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html
https://access.redhat.com/errata/RHSA-2019:1833
https://bugzilla.redhat.com/show_bug.cgi?id=1695963
Third Party Advisory
Issue Tracking
https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e
Patch
Third Party Advisory
https://github.com/projectatomic/bubblewrap/issues/304
Third Party Advisory
https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3
Third Party Advisory
Release Notes
https://security.gentoo.org/glsa/202006-18