cbcvebase.
CVE-2017-9780
published 2017-06-21

CVE-2017-9780: In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or…

PriorityP336high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EPSS
0.36%
27.4th percentile
In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianflatpak< flatpak 0.8.7-1 (bookworm)flatpak 0.8.7-1 (bookworm)
flatpakflatpak<= 0.8.6
flatpakflatpak>= 0 < 0.8.7-10.8.7-1
flatpakflatpak>= 0 < 0.8.7-10.8.7-1
flatpakflatpak>= 0 < 0.8.7-10.8.7-1
flatpakflatpak>= 0 < 0.8.7-10.8.7-1

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.