CVE-2019-12439

low-risk
Published 2019-05-29

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.

Do I need to act?

-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
LOCAL / HIGH complexity

Affected Products (1)

Affected Vendors

Projectatomic

References (16)

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html
https://access.redhat.com/errata/RHSA-2019:1833
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1695963
Patch https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7...
Third Party Advisory https://github.com/projectatomic/bubblewrap/issues/304
Release Notes https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3
https://security.gentoo.org/glsa/202006-18
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html
https://access.redhat.com/errata/RHSA-2019:1833
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1695963
Patch https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7...
Third Party Advisory https://github.com/projectatomic/bubblewrap/issues/304
Release Notes https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3
https://security.gentoo.org/glsa/202006-18
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal