CVE-2019-12439

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-12439
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12439.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-12439
Downstream
Related
Published
2019-05-29T15:29:00.377Z
Modified
2025-11-20T10:55:56.728740Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDGRUNTIMEDIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.

References

Affected packages

Git / github.com/containers/bubblewrap

Affected ranges

Type
GIT
Repo
https://github.com/containers/bubblewrap
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bc13e228d172cc2385aa445b512c6bf8ca2f3376
Fixed
efc89e3b939b4bde42c10f065f6b7b02958ed50e

Affected versions

0.*

0.1.2

v0.*

v0.1.0
v0.1.1
v0.1.3
v0.1.4
v0.1.5
v0.1.7
v0.1.8
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.3.2

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 10855.0,
            "function_hash": "163138480516088060973123991537078844772"
        },
        "signature_version": "v1",
        "source": "https://github.com/containers/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e",
        "target": {
            "file": "bubblewrap.c",
            "function": "main"
        },
        "id": "CVE-2019-12439-0814091c"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "283179917051261630896667241276398686681",
                "156835895842063204426592657645357554064",
                "111535406409657270217145089257984278610",
                "113780544056907384740793531340704701702",
                "137732832239418312694642623703253456288",
                "124682311427914636375661048704732540145",
                "170496425584988668139365274346094921978",
                "172801237529990720369066095369241666423",
                "217023891360866399185816632672554550288",
                "174097707395110539665399886529019003634",
                "297473727901272319493434324414327787637",
                "276028077305428303997258195433187177581",
                "246543047571715569257987064028953445438",
                "74241571744933200156231765948065868072",
                "229410691217233813825979016078530512815",
                "42059878739010556504832711124538710956",
                "44532719681789361639233861930549587264",
                "198386674756433031549864431927558446003"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/containers/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e",
        "target": {
            "file": "bubblewrap.c"
        },
        "id": "CVE-2019-12439-776902b2"
    }
]