{"url":"http://public2.vulnerablecode.io/api/packages/5392?format=json","purl":"pkg:deb/debian/flatpak@0.8.9-0%2Bdeb9u3","type":"deb","namespace":"debian","name":"flatpak","version":"0.8.9-0+deb9u3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.14.10-1~deb12u2","latest_non_vulnerable_version":"1.14.10-1~deb12u2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6087?format=json","vulnerability_id":"VCID-199n-5zq2-huay","summary":"sandbox escape","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10063.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10063.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10063","reference_id":"","reference_type":"","scores":[{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.61105","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.6115","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.61148","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.6113","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.61153","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.61161","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10063"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10063","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10063"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1695973","reference_id":"1695973","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1695973"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541","reference_id":"925541","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925541"},{"reference_url":"https://security.archlinux.org/AVG-971","reference_id":"AVG-971","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-971"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1024","reference_id":"RHSA-2019:1024","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:1024"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1143","reference_id":"RHSA-2019:1143","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:1143"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"}],"aliases":["CVE-2019-10063"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-199n-5zq2-huay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5161?format=json","vulnerability_id":"VCID-5ayq-qemn-v3dz","summary":"sandbox escape","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41133.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41133.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41133","reference_id":"","reference_type":"","scores":[{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19132","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19204","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19107","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19087","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19159","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19201","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41133"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41133","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41133"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999","reference_id":"1330662f33a55e88bfe18e76de28b7922d91a999","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2012245","reference_id":"2012245","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2012245"},{"reference_url":"https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca","reference_id":"26b12484eb8a6219b9e7aa287b298a894b2f34ca","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"},{"reference_url":"https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf","reference_id":"462fca2c666e0cd2b60d6d2593a7216a83047aaf","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"},{"reference_url":"https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36","reference_id":"4c34815784e9ffda5733225c7d95824f96375e36","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"},{"reference_url":"https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48","reference_id":"89ae9fe74c6d445bb1b3a40e568d77cf5de47e48","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/10/26/9","reference_id":"9","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"http://www.openwall.com/lists/oss-security/2021/10/26/9"},{"reference_url":"https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f","reference_id":"9766ee05b1425db397d2cf23afd24c7f6146a69f","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935","reference_id":"995935","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935"},{"reference_url":"https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330","reference_id":"a10f52a7565c549612c92b8e736a6698a53db330","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"},{"reference_url":"https://security.archlinux.org/AVG-2455","reference_id":"AVG-2455","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2455"},{"reference_url":"https://www.debian.org/security/2021/dsa-4984","reference_id":"dsa-4984","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://www.debian.org/security/2021/dsa-4984"},{"reference_url":"https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf","reference_id":"e26ac7586c392b5eb35ff4609fe232c52523b2cf","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"},{"reference_url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q","reference_id":"GHSA-67h7-w3jq-vh4q","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"},{"reference_url":"https://security.gentoo.org/glsa/202312-12","reference_id":"GLSA-202312-12","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://security.gentoo.org/glsa/202312-12"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/","reference_id":"R5656ONDP2MGKIJMKEC7N2NXCV27WGTC","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4042","reference_id":"RHSA-2021:4042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4044","reference_id":"RHSA-2021:4044","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4044"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4106","reference_id":"RHSA-2021:4106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4107","reference_id":"RHSA-2021:4107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4107"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/","reference_id":"T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-30T16:07:06Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"},{"reference_url":"https://usn.ubuntu.com/5191-1/","reference_id":"USN-5191-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5191-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2021-41133"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ayq-qemn-v3dz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68522?format=json","vulnerability_id":"VCID-bk2y-f8rc-mqf5","summary":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21381.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21381.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21381","reference_id":"","reference_type":"","scores":[{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30266","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.3026","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30276","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30245","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.3034","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30305","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21381"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21381","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21381"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1936985","reference_id":"1936985","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1936985"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859","reference_id":"984859","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984859"},{"reference_url":"https://security.archlinux.org/ASA-202103-4","reference_id":"ASA-202103-4","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202103-4"},{"reference_url":"https://security.archlinux.org/AVG-1678","reference_id":"AVG-1678","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1678"},{"reference_url":"https://security.gentoo.org/glsa/202312-12","reference_id":"GLSA-202312-12","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-12"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1002","reference_id":"RHSA-2021:1002","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1002"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1068","reference_id":"RHSA-2021:1068","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1068"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1073","reference_id":"RHSA-2021:1073","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1073"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1074","reference_id":"RHSA-2021:1074","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1074"},{"reference_url":"https://usn.ubuntu.com/4951-1/","reference_id":"USN-4951-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4951-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"},{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2021-21381"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bk2y-f8rc-mqf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/369704?format=json","vulnerability_id":"VCID-d8pc-mnf9-k7a8","summary":"regression update","references":[],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"}],"aliases":["DSA-4830-2 flatpak"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d8pc-mnf9-k7a8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68521?format=json","vulnerability_id":"VCID-kzaz-c8d9-zqe6","summary":"Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8308.json","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8308.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-8308","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.201","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20176","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20168","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20128","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20062","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.2008","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-8308"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8308","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8308"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1675070","reference_id":"1675070","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1675070"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059","reference_id":"922059","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0375","reference_id":"RHSA-2019:0375","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:0375"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"}],"aliases":["CVE-2019-8308"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kzaz-c8d9-zqe6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68530?format=json","vulnerability_id":"VCID-m5w9-dagz-afeq","summary":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32462.json","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32462.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32462","reference_id":"","reference_type":"","scores":[{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.4817","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48202","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48206","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48187","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48157","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32462"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32462","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32462"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2275981","reference_id":"2275981","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2275981"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/04/18/5","reference_id":"5","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/04/18/5"},{"reference_url":"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d","reference_id":"72016e3fce8fcbeab707daf4f1a02b931fcc004d","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"},{"reference_url":"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97","reference_id":"81abe2a37d363f5099c3d0bdcd0caad6efc5bf97","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"},{"reference_url":"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e","reference_id":"b7c1a558e58aaeb1d007d29529bbb270dc4ff11e","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"},{"reference_url":"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931","reference_id":"bbab7ed1e672356d1a78b422462b210e8e875931","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"},{"reference_url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj","reference_id":"GHSA-phv6-cpc2-2fgj","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"},{"reference_url":"https://security.gentoo.org/glsa/202406-02","reference_id":"GLSA-202406-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202406-02"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/","reference_id":"IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3959","reference_id":"RHSA-2024:3959","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3959"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3960","reference_id":"RHSA-2024:3960","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3960"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3961","reference_id":"RHSA-2024:3961","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3961"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3962","reference_id":"RHSA-2024:3962","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3962"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3963","reference_id":"RHSA-2024:3963","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3963"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3969","reference_id":"RHSA-2024:3969","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3969"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3970","reference_id":"RHSA-2024:3970","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3970"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3979","reference_id":"RHSA-2024:3979","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3979"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3980","reference_id":"RHSA-2024:3980","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3980"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/","reference_id":"ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-20T04:00:12Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2024-32462"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5w9-dagz-afeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5730?format=json","vulnerability_id":"VCID-reyr-twbr-hqbq","summary":"sandbox escape","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21261.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21261.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21261","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28643","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28611","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28638","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28604","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28715","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28674","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21261"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21261","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21261"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1917430","reference_id":"1917430","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1917430"},{"reference_url":"https://security.archlinux.org/ASA-202101-40","reference_id":"ASA-202101-40","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-40"},{"reference_url":"https://security.archlinux.org/AVG-1454","reference_id":"AVG-1454","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1454"},{"reference_url":"https://security.gentoo.org/glsa/202101-21","reference_id":"GLSA-202101-21","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202101-21"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0304","reference_id":"RHSA-2021:0304","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0304"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0306","reference_id":"RHSA-2021:0306","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0306"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0307","reference_id":"RHSA-2021:0307","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0307"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0411","reference_id":"RHSA-2021:0411","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0411"},{"reference_url":"https://usn.ubuntu.com/4721-1/","reference_id":"USN-4721-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4721-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"},{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2021-21261"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-reyr-twbr-hqbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68524?format=json","vulnerability_id":"VCID-rpqr-5dz5-qqam","summary":"Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the \"xa.metadata\" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the \"metadata\" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43860.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43860.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43860","reference_id":"","reference_type":"","scores":[{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37337","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37428","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37433","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37401","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37362","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37375","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43860"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43860","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43860"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21682"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2041590","reference_id":"2041590","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2041590"},{"reference_url":"https://security.gentoo.org/glsa/202312-12","reference_id":"GLSA-202312-12","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-12"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1792","reference_id":"RHSA-2022:1792","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1792"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2021-43860"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpqr-5dz5-qqam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68533?format=json","vulnerability_id":"VCID-sfux-zkt3-5kb6","summary":"Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality.  When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access.  However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox.  Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code.  For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson \"wrap\" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42472.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42472.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42472","reference_id":"","reference_type":"","scores":[{"value":"0.06541","scoring_system":"epss","scoring_elements":"0.91316","published_at":"2026-06-09T12:55:00Z"},{"value":"0.06541","scoring_system":"epss","scoring_elements":"0.91308","published_at":"2026-06-06T12:55:00Z"},{"value":"0.06541","scoring_system":"epss","scoring_elements":"0.91305","published_at":"2026-06-07T12:55:00Z"},{"value":"0.06541","scoring_system":"epss","scoring_elements":"0.91301","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42472"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42472","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42472"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082927","reference_id":"1082927","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082927"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2305202","reference_id":"2305202","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2305202"},{"reference_url":"https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72","reference_id":"2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72"},{"reference_url":"https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a","reference_id":"3caeb16c31a3ed62d744e2aaf01d684f7991051a","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a"},{"reference_url":"https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c","reference_id":"68e75c3091c87583c28a439b45c45627a94d622c","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c"},{"reference_url":"https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75","reference_id":"6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75"},{"reference_url":"https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97","reference_id":"7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97"},{"reference_url":"https://github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788","reference_id":"8a18137d7e80f0575e8defabf677d81e5cc3a788","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788"},{"reference_url":"https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5","reference_id":"a253257cd298892da43e15201d83f9a02c9b58b5","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5"},{"reference_url":"https://github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19","reference_id":"db3a785241fda63bf53f0ec12bb519aa5210de19","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19"},{"reference_url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87","reference_id":"GHSA-7hgv-f2j8-xw87","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-15T20:04:27Z/"}],"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87"},{"reference_url":"https://security.gentoo.org/glsa/202411-02","reference_id":"GLSA-202411-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202411-02"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6355","reference_id":"RHSA-2024:6355","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6355"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6356","reference_id":"RHSA-2024:6356","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6356"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6357","reference_id":"RHSA-2024:6357","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6357"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6417","reference_id":"RHSA-2024:6417","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6417"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6418","reference_id":"RHSA-2024:6418","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6418"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6419","reference_id":"RHSA-2024:6419","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6419"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6420","reference_id":"RHSA-2024:6420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6420"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6421","reference_id":"RHSA-2024:6421","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6421"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6422","reference_id":"RHSA-2024:6422","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6422"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9449","reference_id":"RHSA-2024:9449","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9449"},{"reference_url":"https://usn.ubuntu.com/7046-1/","reference_id":"USN-7046-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7046-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510775?format=json","purl":"pkg:deb/debian/flatpak@1.14.10-1~deb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.14.10-1~deb12u2"}],"aliases":["CVE-2024-42472"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sfux-zkt3-5kb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68525?format=json","vulnerability_id":"VCID-t2fq-gpj7-yug8","summary":"Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21682.json","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21682.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21682","reference_id":"","reference_type":"","scores":[{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56569","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56623","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56629","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56617","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56602","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.5662","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43860","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43860"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21682"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2041592","reference_id":"2041592","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2041592"},{"reference_url":"https://security.gentoo.org/glsa/202312-12","reference_id":"GLSA-202312-12","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-12"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7458","reference_id":"RHSA-2022:7458","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7458"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2022-21682"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2fq-gpj7-yug8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68516?format=json","vulnerability_id":"VCID-uaqn-ut5y-tfb9","summary":"In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6560.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6560.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6560","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26112","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26216","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26208","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26162","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26106","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26113","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6560"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6560","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6560"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1542207","reference_id":"1542207","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1542207"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888842","reference_id":"888842","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888842"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2766","reference_id":"RHSA-2018:2766","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2766"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"}],"aliases":["CVE-2018-6560"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uaqn-ut5y-tfb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68526?format=json","vulnerability_id":"VCID-vtxy-95t3-r7fa","summary":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28100.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28100.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28100","reference_id":"","reference_type":"","scores":[{"value":"0.00698","scoring_system":"epss","scoring_elements":"0.72382","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00698","scoring_system":"epss","scoring_elements":"0.72385","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00698","scoring_system":"epss","scoring_elements":"0.72391","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00698","scoring_system":"epss","scoring_elements":"0.72371","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00698","scoring_system":"epss","scoring_elements":"0.72357","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28100"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28100","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28100"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033099","reference_id":"1033099","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033099"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179220","reference_id":"2179220","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179220"},{"reference_url":"https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9","reference_id":"8e63de9a7d3124f91140fc74f8ca9ed73ed53be9","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T16:24:16Z/"}],"url":"https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9"},{"reference_url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp","reference_id":"GHSA-7qpw-3vjv-xrqp","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T16:24:16Z/"}],"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp"},{"reference_url":"https://security.gentoo.org/glsa/202312-12","reference_id":"GLSA-202312-12","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T16:24:16Z/"}],"url":"https://security.gentoo.org/glsa/202312-12"},{"reference_url":"https://marc.info/?l=oss-security&m=167879021709955&w=2","reference_id":"?l=oss-security&m=167879021709955&w=2","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T16:24:16Z/"}],"url":"https://marc.info/?l=oss-security&m=167879021709955&w=2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6518","reference_id":"RHSA-2023:6518","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7038","reference_id":"RHSA-2023:7038","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7038"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2023-28100"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vtxy-95t3-r7fa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68527?format=json","vulnerability_id":"VCID-zghw-ev7h-4fdb","summary":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28101.json","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28101.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28101","reference_id":"","reference_type":"","scores":[{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47828","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.4786","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47863","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47846","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47817","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28101"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28101","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28101"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033098","reference_id":"1033098","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033098"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179219","reference_id":"2179219","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179219"},{"reference_url":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c","reference_id":"409e34187de2b2b2c4ef34c79f417be698830f6c","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:25Z/"}],"url":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c"},{"reference_url":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869","reference_id":"6cac99dafe6003c8a4bd5666341c217876536869","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:25Z/"}],"url":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869"},{"reference_url":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c","reference_id":"7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:25Z/"}],"url":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c"},{"reference_url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8","reference_id":"GHSA-h43h-fwqx-mpp8","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:25Z/"}],"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8"},{"reference_url":"https://security.gentoo.org/glsa/202312-12","reference_id":"GLSA-202312-12","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:25Z/"}],"url":"https://security.gentoo.org/glsa/202312-12"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6518","reference_id":"RHSA-2023:6518","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7038","reference_id":"RHSA-2023:7038","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7038"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/510774?format=json","purl":"pkg:deb/debian/flatpak@1.10.8-0%2Bdeb11u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ryj9-k4ke-p7c3"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-ubd7-5ghs-6uad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.10.8-0%252Bdeb11u2"}],"aliases":["CVE-2023-28101"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zghw-ev7h-4fdb"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68521?format=json","vulnerability_id":"VCID-kzaz-c8d9-zqe6","summary":"Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8308.json","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8308.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-8308","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.201","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20176","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20168","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20128","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20062","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.2008","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-8308"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8308","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8308"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1675070","reference_id":"1675070","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1675070"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059","reference_id":"922059","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922059"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0375","reference_id":"RHSA-2019:0375","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:0375"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5392?format=json","purl":"pkg:deb/debian/flatpak@0.8.9-0%2Bdeb9u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-199n-5zq2-huay"},{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-d8pc-mnf9-k7a8"},{"vulnerability":"VCID-kzaz-c8d9-zqe6"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-uaqn-ut5y-tfb9"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@0.8.9-0%252Bdeb9u3"},{"url":"http://public2.vulnerablecode.io/api/packages/5393?format=json","purl":"pkg:deb/debian/flatpak@1.2.5-0%2Bdeb10u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ayq-qemn-v3dz"},{"vulnerability":"VCID-bk2y-f8rc-mqf5"},{"vulnerability":"VCID-m5w9-dagz-afeq"},{"vulnerability":"VCID-reyr-twbr-hqbq"},{"vulnerability":"VCID-rpqr-5dz5-qqam"},{"vulnerability":"VCID-sfux-zkt3-5kb6"},{"vulnerability":"VCID-t2fq-gpj7-yug8"},{"vulnerability":"VCID-vtxy-95t3-r7fa"},{"vulnerability":"VCID-zghw-ev7h-4fdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@1.2.5-0%252Bdeb10u4"}],"aliases":["CVE-2019-8308"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kzaz-c8d9-zqe6"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/flatpak@0.8.9-0%252Bdeb9u3"}