CVE-2019-12439

EPSS 0.14%
Veröffentlicht 29.05.2019 15:29:00
Zuletzt bearbeitet 21.11.2024 04:22:50
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Projectatomic ≫ Bubblewrap Version < 0.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.351

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
cve@mitre.org	7.4	1.4	5.9	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html

https://access.redhat.com/errata/RHSA-2019:1833

https://bugzilla.redhat.com/show_bug.cgi?id=1695963

Third Party Advisory

Issue Tracking

https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e

Patch

Third Party Advisory

https://github.com/projectatomic/bubblewrap/issues/304

Third Party Advisory

https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3