CVE-2024-32462

CWE-885 documents5 sources

Severity

8.4HIGH

EPSS

0.2%

top 56.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flatpak Flatpak Fedoraproject Fedora

Timeline

PublishedApr 18

Description

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's p…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:NExploitability: 2.0 | Impact: 5.8

Affected Packages3 packages

▶CVEListV5flatpak/flatpak< 1.10.9+3

▶NVDflatpak/flatpak1.12.0 — 1.12.9+3

▶Debianflatpak< 1.10.8-0+deb11u2+3

Also affects: Fedora 39, 40

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing↗2024-04-18

▶

OSV

CVE-2024-32462: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux↗2024-04-18

▶

📋Vendor Advisories

Red Hat

flatpak: sandbox escape via RequestBackground portal↗2024-04-18

▶

Debian

CVE-2024-32462: flatpak - Flatpak is a system for building, distributing, and running sandboxed desktop ap...↗2024

▶