CVE Vulnerability

CVE-2022-21682

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx Patch Third Party Advisory
https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa Patch Third Party Advisory
https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/ Mailing List Third Party Advisory
https://www.debian.org/security/2022/dsa-5049 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/ Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:flatpak:flatpak-builder:*:*:*:*:*:*:*:*
cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Information

Published : 2022-01-13 09:15

Updated : 2022-02-10 07:52

NVD link : CVE-2022-21682

Mitre link : CVE-2022-21682

Products Affected
No products.
CWE
CWE-22