INFSA-2024:9449: bubblewrap and flatpak security update
Information about definition
Identificator: INFSA-2024:9449
Type: security
Release date: 2024-12-13 12:01:16 UTC
Information about package
Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces.
Vulnerabilities description
- CVE-2024-42472
A sandbox escape vulnerability was found in Flatpak due to a symlink-following issue when mounting persistent directories. This flaw allows a local user or attacker to craft a symbolic link that can bypass the intended restrictions, enabling access to and modification of files outside the designated sandbox. As a result, the attacker could potentially manipulate the file system, leading to unauthorized actions that compromise the security and integrity of the system.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-42472
|
no information | 7.4 | no information |
Updated packages