CVE-2021-41133
published 2021-10-08CVE-2021-41133: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with…
PriorityP343high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.41%
32.4th percentile
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | flatpak | < flatpak 1.12.1-1 (bookworm) | flatpak 1.12.1-1 (bookworm) |
| debian | webkit2gtk | < webkit2gtk 2.34.1-1 (bookworm) | webkit2gtk 2.34.1-1 (bookworm) |
| debian | wpewebkit | < webkit2gtk 2.34.1-1 (bookworm) | webkit2gtk 2.34.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| flatpak | flatpak | < 1.8.2 | 1.8.2 |
| flatpak | flatpak | >= 0 < 1.10.5-0+deb11u1 | 1.10.5-0+deb11u1 |
| flatpak | flatpak | >= 0 < 1.12.1-1 | 1.12.1-1 |
| flatpak | flatpak | >= 0 < 1.12.1-1 | 1.12.1-1 |
| flatpak | flatpak | >= 0 < 1.12.1-1 | 1.12.1-1 |
| flatpak | flatpak | >= 1.10.0 < 1.10.4 | 1.10.4 |
| flatpak | flatpak | >= 1.11.1 < 1.12.1 | 1.12.1 |
| webkitgtk | webkitgtk | < 2.34.1 | 2.34.1 |
| wpewebkit | wpe_webkit | < 2.34.1 | 2.34.1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4ch5-gr7v-q6wq: BubblewrapLauncher
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2021-42762 [HIGH] GHSA-4ch5-gr7v-q6wq: BubblewrapLauncher
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
OSV
CVE-2021-42762: BubblewrapLauncher
osv·2021-10-20·CVSS 7.8
CVE-2021-42762 [HIGH] CVE-2021-42762: BubblewrapLauncher
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
OSV
CVE-2021-41133: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux
osv·2021-10-08·CVSS 7.8
CVE-2021-41133 [HIGH] CVE-2021-41133: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Fl
Ubuntu
Flatpak vulnerability
vendor_ubuntu·2021-12-14
CVE-2021-41133 Flatpak vulnerability
Title: Flatpak vulnerability
Summary: A system hardening measure could be bypassed.
It was discovered that Flatpak incorrectly handled certain AF_UNIX sockets.
An attacker could use this to specially craft a Flatpak application that
could escape sandbox confinement.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
webkitgtk: limited sandbox escape via VFS syscalls
vendor_redhat·2021-10-20·CVSS 8.8
CVE-2021-42762 [HIGH] CWE-20 webkitgtk: limited sandbox escape via VFS syscalls
webkitgtk: limited sandbox escape via VFS syscalls
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Not affected
Package: webkitgtk3 (Red Hat Enterprise Linux 7) - Not affected
Package: webkit2gtk3 (Red Hat Enterprise Linux 8) - Not affected
Package: webkit2gtk3 (Red Hat Enterprise Linux 9) - Not affected
Red Hat
flatpak: Sandbox bypass via recent VFS-manipulating syscalls
vendor_redhat·2021-10-08·CVSS 8.8
CVE-2021-41133 [HIGH] CWE-20 flatpak: Sandbox bypass via recent VFS-manipulating syscalls
flatpak: Sandbox bypass via recent VFS-manipulating syscalls
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the
Debian
CVE-2021-41133: flatpak - Flatpak is a system for building, distributing, and running sandboxed desktop ap...
vendor_debian·2021·CVSS 8.8
CVE-2021-41133 [HIGH] CVE-2021-41133: flatpak - Flatpak is a system for building, distributing, and running sandboxed desktop ap...
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Fl
Debian
CVE-2021-42762: webkit2gtk - BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limite...
vendor_debian·2021·CVSS 8.8
CVE-2021-42762 [HIGH] CVE-2021-42762: webkit2gtk - BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limite...
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
Scope: local
bookworm: resolved (fixed in 2.34.1-1)
bullseye: resolved (fixed in 2.34.1-1~deb11u1)
forky: resolved (fixed in 2.34.1-1)
sid: resolved (fixed in 2.34.1-1)
trixie: resolved (fixed in 2.34.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2021/10/26/9https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34cahttps://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aafhttps://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69fhttps://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cfhttps://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4qhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/https://security.gentoo.org/glsa/202312-12https://www.debian.org/security/2021/dsa-4984http://www.openwall.com/lists/oss-security/2021/10/26/9https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34cahttps://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aafhttps://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69fhttps://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cfhttps://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4qhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/https://security.gentoo.org/glsa/202312-12https://www.debian.org/security/2021/dsa-4984
2021-10-08
Published