vulnerability
Oracle Linux: CVE-2018-6560: ELSA-2018-2766: flatpak security update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:N/C:P/I:P/A:P) | Jan 29, 2018 | Sep 26, 2018 | Dec 3, 2025 |
Severity
5
CVSS
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Published
Jan 29, 2018
Added
Sep 26, 2018
Modified
Dec 3, 2025
Description
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
It was found that flatpak's D-Bus proxy did not properly filter the access to D-Bus during the authentication protocol. A specially crafted flatpak application could use this flaw to bypass all restrictions imposed by flatpak and have full access to the D-BUS interface.
It was found that flatpak's D-Bus proxy did not properly filter the access to D-Bus during the authentication protocol. A specially crafted flatpak application could use this flaw to bypass all restrictions imposed by flatpak and have full access to the D-BUS interface.
Solutions
oracle-linux-upgrade-flatpakoracle-linux-upgrade-flatpak-builderoracle-linux-upgrade-flatpak-develoracle-linux-upgrade-flatpak-libs
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.