{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-13T09:06:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/flatpak/flatpak/issues/2782"}, {"name": "RHSA-2019:1024", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1024"}, {"name": "RHSA-2019:1143", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1143"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-10063", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/flatpak/flatpak/issues/2782", "refsource": "MISC", "url": "https://github.com/flatpak/flatpak/issues/2782"}, {"name": "RHSA-2019:1024", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1024"}, {"name": "RHSA-2019:1143", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1143"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:09.240Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/flatpak/flatpak/issues/2782"}, {"name": "RHSA-2019:1024", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1024"}, {"name": "RHSA-2019:1143", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1143"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-10063", "datePublished": "2019-03-26T13:40:19", "dateReserved": "2019-03-26T00:00:00", "dateUpdated": "2024-08-04T22:10:09.240Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "760A9FE8-23B8-4901-9278-2558BEA362D3", "versionEndExcluding": "1.0.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "257A9820-7329-4F74-97F6-F695F38C116D", "versionEndIncluding": "1.1.3", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B40E0D8-EF6D-4B52-87EF-97D17F131F56", "versionEndExcluding": "1.2.4", "versionStartIncluding": "1.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "56F607CF-96CC-4176-8336-1F00C6CA2B9E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI."}, {"lang": "es", "value": "Flatpak, en versiones anteriores a la 1.0.8, 1.1.x y 1.2.x anteriores a la 1.2.4, y en las versiones 1.3.x anteriores a la 1.3.1, permite omitir el sandbox. Las versiones de Flatpak desde la 0.8.1 abordan CVE-2017-5226 mediante un filtro seccomp para evitar que las aplicaciones del sandbox empleen el ioctl TIOCSTI, que podr\u00eda emplearse para inyectar comandos en la terminal de control para que se ejecuten fuera del sandbox una vez la aplicaci\u00f3n en el sandbox se cierra. La soluci\u00f3n estaba incompleta: en las plataformas de 64 bits, el filtro seccomp podr\u00eda ser omitido por un n\u00famero de petici\u00f3n ioctl que tiene TIOCSTI en los 32 bits menos significativos y un valor arbitrario que no es cero en sus 32 bits m\u00e1s significativos, lo que el kernel de Linux tratar\u00eda como un equivalente a TIOCSTI."}], "id": "CVE-2019-10063", "lastModified": "2019-05-13T10:29:02.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-26T14:29:00.240", "references": [{"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1024"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1143"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/issues/2782"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1024", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "flatpak-0:1.0.2-5.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-05-07T00:00:00Z"}, {"advisory": "RHSA-2019:1143", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "flatpak-0:1.0.6-3.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-13T00:00:00Z"}], "bugzilla": {"description": "flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)", "id": "1695973", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695973"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-266", "details": ["Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.", "An incomplete fix for CVE-2017-5226 was found in flatpak. A sandbox bypass flaw was found in the way bubblewrap, which is used for sandboxing flatpak applications handled the TIOCSTI ioctl. A malicious flatpak application could use this flaw to inject commands into the controlled terminal of the host after the flatpak applications exits. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2019-10063", "public_date": "2019-03-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10063\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10063"], "statement": "This flaw can be exploited by malicious flatpak applications which include the code to exploit the wrong handling of the TIOCSTI ioctl (AV:L). No special action is needed to be performed by the attacker just having the exploit code should be enough for bypassing the sandbox restrictions (AC:L), Also the applications needs to be downloaded and run by the victim (PR:L). The flaw results in code being executed on the host system which is running the sandboxed application therefore this affects the host beyond the sandboxed application (S:C). Lastly considering the worst scenario in which the flatpak is run as root on the host system, this flaw can result in the malicious application running code as root on the host system (CIA:H).", "threat_severity": "Important", "upstream_fix": "flatpak 1.3.2"}