CVE-2018-6560

NONE EPSS 33.6%
Published Feb 2, 20188y ago · Modified Jun 17, 20262w ago
Find Similar
Published Feb 2, 2018 8y ago
Last Modified Jun 17, 2026 2w ago

Description

In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.

Threat Intelligence

EPSS Exploit Probability
33.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-436

Affected Products 10

VendorProductVersionRange
flatpakflatpak* <0.8.9
flatpakflatpak*≥0.9.1  –  ≤0.9.99
flatpakflatpak*≥0.10.0  –  <0.10.3
redhatenterprise_linux_desktop7.0any
redhatenterprise_linux_server7.0any
redhatenterprise_linux_server_aus7.6any
redhatenterprise_linux_server_eus7.5any
redhatenterprise_linux_server_eus7.6any
redhatenterprise_linux_server_tus7.6any
redhatenterprise_linux_workstation7.0any

References 4

  • access.redhat.com https://access.redhat.com/errata/RHSA-2018:2766
    Third Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
    PatchVendor Advisory
  • github.com https://github.com/flatpak/flatpak/releases/tag/0.10.3
    Release Notes
  • github.com https://github.com/flatpak/flatpak/releases/tag/0.8.9
    Release Notes

Remediation

  • github.com https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
    PatchVendor Advisory