csaf_redhat - rhsa-2024

rhsa-2024_3963

Vulnerability from csaf_redhat

Published

2024-06-17 16:20

Modified

2024-11-24 17:01

Summary

Red Hat Security Advisory: flatpak security update

Notes

Topic

An update for flatpak is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es): * flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for flatpak is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es):\n\n* flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:3963",
        "url": "https://access.redhat.com/errata/RHSA-2024:3963"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2275981",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275981"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3963.json"
      }
    ],
    "title": "Red Hat Security Advisory: flatpak security update",
    "tracking": {
      "current_release_date": "2024-11-24T17:01:48+00:00",
      "generator": {
        "date": "2024-11-24T17:01:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:3963",
      "initial_release_date": "2024-06-17T16:20:21+00:00",
      "revision_history": [
        {
          "date": "2024-06-17T16:20:21+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-06-17T16:20:21+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-24T17:01:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                  "product_id": "AppStream-8.4.0.Z.AUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_aus:8.4::appstream"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream TUS (v.8.4)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream TUS (v.8.4)",
                  "product_id": "AppStream-8.4.0.Z.TUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_tus:8.4::appstream"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream E4S (v.8.4)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream E4S (v.8.4)",
                  "product_id": "AppStream-8.4.0.Z.E4S",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_e4s:8.4::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-0:1.8.5-5.el8_4.src",
                "product": {
                  "name": "flatpak-0:1.8.5-5.el8_4.src",
                  "product_id": "flatpak-0:1.8.5-5.el8_4.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak@1.8.5-5.el8_4?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-libs-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-libs-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-libs-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-session-helper@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
                "product": {
                  "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_id": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-5.el8_4?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-libs-0:1.8.5-5.el8_4.i686",
                "product": {
                  "name": "flatpak-libs-0:1.8.5-5.el8_4.i686",
                  "product_id": "flatpak-libs-0:1.8.5-5.el8_4.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-5.el8_4?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-debugsource-0:1.8.5-5.el8_4.i686",
                "product": {
                  "name": "flatpak-debugsource-0:1.8.5-5.el8_4.i686",
                  "product_id": "flatpak-debugsource-0:1.8.5-5.el8_4.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-5.el8_4?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
                "product": {
                  "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_id": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-5.el8_4?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
                "product": {
                  "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_id": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-5.el8_4?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
                "product": {
                  "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_id": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-5.el8_4?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
                "product": {
                  "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_id": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-5.el8_4?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-selinux-0:1.8.5-5.el8_4.noarch",
                "product": {
                  "name": "flatpak-selinux-0:1.8.5-5.el8_4.noarch",
                  "product_id": "flatpak-selinux-0:1.8.5-5.el8_4.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-selinux@1.8.5-5.el8_4?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-session-helper@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                "product": {
                  "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_id": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-5.el8_4?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.src as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.src"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.src",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-0:1.8.5-5.el8_4.noarch as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch"
        },
        "product_reference": "flatpak-selinux-0:1.8.5-5.el8_4.noarch",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.src"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.src",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-0:1.8.5-5.el8_4.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-selinux-0:1.8.5-5.el8_4.noarch"
        },
        "product_reference": "flatpak-selinux-0:1.8.5-5.el8_4.noarch",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.src"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.src",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-libs-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-0:1.8.5-5.el8_4.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch"
        },
        "product_reference": "flatpak-selinux-0:1.8.5-5.el8_4.noarch",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
          "product_id": "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
        },
        "product_reference": "flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
        "relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-32462",
      "cwe": {
        "id": "CWE-88",
        "name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
      },
      "discovery_date": "2024-04-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2275981"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. Normally, the \"--command\" argument of \"flatpak run\" expects being given a command to run in the specified Flatpak app, along with optional arguments. However, it is possible to pass bwrap arguments to \"--command=\" instead, such as \"--bind\". It is possible to pass an arbitrary \"commandline\" to the portal interface \"org.freedesktop.portal.Background.RequestBackground\" within the Flatpak app. This is normally safe because it can only specify a command that exists inside the sandbox. When a crafted \"commandline\" is converted into a \"--command\" and arguments, the app could achieve the same effect of passing arguments directly to bwrap to achieve sandbox escape.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "flatpak: sandbox escape via RequestBackground portal",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability poses an important security risk due to its potential for sandbox escape within Flatpak environments. Exploiting this vulnerability allows a malicious Flatpak application to execute arbitrary code outside of its designated sandbox, effectively bypassing the security measures intended to restrict its system access. By manipulating the --command argument and the org.freedesktop.portal.Background.RequestBackground portal interface, an attacker can craft commands that are misinterpreted as bwrap options, leading to unauthorized execution of commands with elevated privileges. This could result in unauthorized data access, system compromise, and potentially enable further exploitation of the host system.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.src",
          "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
          "AppStream-8.4.0.Z.AUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.src",
          "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
          "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
          "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.src",
          "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
          "AppStream-8.4.0.Z.TUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
          "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
          "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-32462"
        },
        {
          "category": "external",
          "summary": "RHBZ#2275981",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275981"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-32462",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-32462"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-32462",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32462"
        },
        {
          "category": "external",
          "summary": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
          "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
        }
      ],
      "release_date": "2024-04-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-06-17T16:20:21+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:3963"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.AUS:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.AUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.E4S:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.ppc64le",
            "AppStream-8.4.0.Z.E4S:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.src",
            "AppStream-8.4.0.Z.TUS:flatpak-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-debugsource-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-libs-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-selinux-0:1.8.5-5.el8_4.noarch",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-session-helper-debuginfo-0:1.8.5-5.el8_4.x86_64",
            "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.i686",
            "AppStream-8.4.0.Z.TUS:flatpak-tests-debuginfo-0:1.8.5-5.el8_4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "flatpak: sandbox escape via RequestBackground portal"
    }
  ]
}

cve-2024-32462

Vulnerability from cvelistv5

Published

2024-04-18 18:11

Modified

2024-08-02 02:13

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing

References

▼	URL	Tags
	https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj	x_refsource_CONFIRM
	https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d	x_refsource_MISC
	https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97	x_refsource_MISC
	https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e	x_refsource_MISC
	https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/
	http://www.openwall.com/lists/oss-security/2024/04/18/5

Impacted products

Vendor

Product

Version

▼

flatpak

Version: < 1.10.9
Version: >= 1.12.0, < 1.12.9
Version: >= 1.14.0, < 1.14.6
Version: >= 1.15.0, < 1.15.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "flatpak",
            "vendor": "flatpak",
            "versions": [
              {
                "lessThan": "1.15.8",
                "status": "affected",
                "version": "1.15.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32462",
                "options": [
                  {
                    "Exploitation": "None"
                  },
                  {
                    "Automatable": "No"
                  },
                  {
                    "Technical Impact": "Total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-20T04:00:12.336436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:51:25.150Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:13:39.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flatpak",
          "vendor": "flatpak",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.12.0, \u003c 1.12.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.14.0, \u003c 1.14.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.15.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-18T18:11:27.680Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
        }
      ],
      "source": {
        "advisory": "GHSA-phv6-cpc2-2fgj",
        "discovery": "UNKNOWN"
      },
      "title": "Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32462",
    "datePublished": "2024-04-18T18:11:27.680Z",
    "dateReserved": "2024-04-12T19:41:51.164Z",
    "dateUpdated": "2024-08-02T02:13:39.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted