CVE-2018-6560
NONE EPSS 33.6%
Published Feb 2, 20188y ago · Modified Jun 17, 20262w ago
Published Feb 2, 2018 8y ago
Last Modified Jun 17, 2026 2w ago
Description
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
Threat Intelligence
EPSS Exploit Probability
33.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-436
Affected Products 10
| Vendor | Product | Version | Range |
|---|---|---|---|
| flatpak | flatpak | * | <0.8.9 |
| flatpak | flatpak | * | ≥0.9.1 – ≤0.9.99 |
| flatpak | flatpak | * | ≥0.10.0 – <0.10.3 |
| redhat | enterprise_linux_desktop | 7.0 | any |
| redhat | enterprise_linux_server | 7.0 | any |
| redhat | enterprise_linux_server_aus | 7.6 | any |
| redhat | enterprise_linux_server_eus | 7.5 | any |
| redhat | enterprise_linux_server_eus | 7.6 | any |
| redhat | enterprise_linux_server_tus | 7.6 | any |
| redhat | enterprise_linux_workstation | 7.0 | any |
References 4
- access.redhat.com https://access.redhat.com/errata/RHSA-2018:2766
- github.com https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
- github.com https://github.com/flatpak/flatpak/releases/tag/0.10.3
- github.com https://github.com/flatpak/flatpak/releases/tag/0.8.9
Remediation
- github.com https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6