CVE-2021-21261

CWE-74CWE-77Command Injection6 documents6 sources
Severity
8.8HIGH
EPSS
0.2%
top 54.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Flatpak FlatpakDebian Debian Linux
Timeline
PublishedJan 14
Latest updateFeb 4

Description

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:NExploitability: 2.0 | Impact: 4.7

Affected Packages3 packages

NVDflatpak/flatpak0.11.41.8.5+1
Debianflatpak< 1.8.5-1+3
CVEListV5flatpak/flatpak>= 0.11.4, < 1.8.5, >= 1.9.0, < 1.10.0+1

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
Flatpak sandbox escape via spawn portal2021-01-14
OSV
CVE-2021-21261: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux2021-01-14

📋Vendor Advisories

3
Ubuntu
Flatpak vulnerability2021-02-04
Red Hat
flatpak: sandbox escape via spawn portal2021-01-14
Debian
CVE-2021-21261: flatpak - Flatpak is a system for building, distributing, and running sandboxed desktop ap...2021
CVE-2021-21261 (HIGH CVSS 8.8) | Flatpak is a system for building | cvebase.io