CVE-2024-42472

CWE-747 documents6 sources
Severity
10.0CRITICAL
EPSS
6.5%
top 8.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Flatpak FlatpakDebian Debian Linux
Timeline
PublishedAug 15
Latest updateSep 30

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.8

Affected Packages4 packages

CVEListV5flatpak/flatpak< 1.14.10+1
NVDflatpak/flatpak1.14.01.14.10+1
Debianflatpak< 1.10.8-0+deb11u3+3
Alpinebubblewrap< 0.10.0-r0+3

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Flatpak may allow access to files outside sandbox for certain apps2024-08-15
OSV
CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework2024-08-15
OSV
CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework2024-08-15

📋Vendor Advisories

3
Ubuntu
Flatpak and Bubblewrap vulnerability2024-09-30
Red Hat
flatpak: Access to files outside sandbox for apps using persistent= (--persist)2024-08-14
Debian
CVE-2024-42472: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to v...2024
CVE-2024-42472 (CRITICAL CVSS 10) | Flatpak is a Linux application sand | cvebase.io