CVE-2021-43860

CWE-269 — Improper Privilege Management CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

8.6HIGH

EPSS

0.2%

top 62.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flatpak Flatpak Debian Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedJan 12

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages3 packages

▶CVEListV5flatpak/flatpak< 1.10.6+1

▶NVDflatpak/flatpak1.11.1 — 1.12.3+1

▶Debianflatpak< 1.10.7-0+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Enterprise Linux 8.0, Fedora 35

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Permissions granted to applications can be hidden from the user at install time↗2022-01-12

▶

OSV

CVE-2021-43860: Flatpak is a Linux application sandboxing and distribution framework↗2022-01-12

▶

📋Vendor Advisories

Red Hat

flatpak: Permissions granted to applications can be hidden from the user at install time↗2022-01-12

▶

Debian

CVE-2021-43860: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to v...↗2021

▶