CVE-2021-41133

EPSS 0.04%
Published 08.10.2021 14:15:08
Last modified 21.11.2024 06:25:33
Source security-advisories@github.com
Teams watchlist Login
Open Login

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.

Affected products Warnungen 0 Metrics 4 CWE 1 References 17

Data is provided by the National Vulnerability Database (NVD)

Flatpak ≫ Flatpak Version < 1.8.2

Flatpak ≫ Flatpak Version >= 1.10.0 < 1.10.4

Flatpak ≫ Flatpak Version >= 1.11.1 < 1.12.1

Debian ≫ Debian Linux Version11.0

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.105

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
security-advisories@github.com	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://security.gentoo.org/glsa/202312-12

http://www.openwall.com/lists/oss-security/2021/10/26/9

Third Party Advisory

Mailing List

https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999

Patch

Third Party Advisory

https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca

Patch

Third Party Advisory

https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf

Patch