CVE-2024-42472
published 2024-08-15CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using…
PriorityP265critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
1.28%
66.5th percentile
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality.
When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access.
However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox.
Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | flatpak | < flatpak 1.14.10-1~deb12u1 (bookworm) | flatpak 1.14.10-1~deb12u1 (bookworm) |
| flatpak | flatpak | < 1.14.10 | 1.14.10 |
| flatpak | flatpak | — | — |
| flatpak | flatpak | >= 0 < 1.10.8-0+deb11u3 | 1.10.8-0+deb11u3 |
| flatpak | flatpak | >= 0 < 1.14.10-1~deb12u1 | 1.14.10-1~deb12u1 |
| flatpak | flatpak | >= 0 < 1.14.10-1 | 1.14.10-1 |
| flatpak | flatpak | >= 0 < 1.14.10-1 | 1.14.10-1 |
| flatpak | flatpak | >= 1.14.0 < 1.14.10 | 1.14.10 |
| flatpak | flatpak | >= 1.15.0 < 1.15.10 | 1.15.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for symlink creation inside ~/.var/app/$APPID/ directories, particularly where a persistent subdirectory is replaced by a symlink pointing outside the sandbox. This is the core exploitation primitive. ↗
- →Detect concurrent execution of multiple instances of the same Flatpak application, which may indicate exploitation of the race condition variant of this vulnerability. ↗
- →Audit Flatpak application manifests or permissions for use of the `persistent` / `--persist` option, as this is the required precondition for exploitation. ↗
- →Monitor bind mount operations initiated by bwrap (/usr/bin/bwrap or /usr/libexec/flatpak-bwrap) that resolve through symlinks to paths outside ~/.var/app/$APPID/, which would indicate sandbox escape. ↗
- →Check installed Flatpak version; versions prior to 1.14.10 (1.14.x branch) or 1.15.10 (1.15.x branch) are vulnerable. Flag systems running 1.12.x or 1.10.x as unpatched. ↗
- ·If Flatpak is built with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x), the system-installed /usr/bin/bwrap must be patched separately; patching only Flatpak is insufficient. ↗
- ·Applying only the Flatpak patches (commits ceec2ffc and 98f79773) provides only partial protection; the race condition remains exploitable without also patching bubblewrap to add --bind-fd. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Flatpak and Bubblewrap vulnerability
vendor_ubuntu·2024-09-30
CVE-2024-42472 Flatpak and Bubblewrap vulnerability
Title: Flatpak and Bubblewrap vulnerability
Summary: Flatpak could be made to read and write files in locations it
would not normally have access to.
It was discovered that Flatpak incorrectly handled certain persisted
directories. An attacker could possibly use this issue to read
and write files in locations it would not normally have access to.
A patch was also needed to Bubblewrap in order to avoid race
conditions caused by this fix.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
flatpak: Access to files outside sandbox for apps using persistent= (--persist)
vendor_redhat·2024-08-14·CVSS 10.0
CVE-2024-42472 [CRITICAL] CWE-74 flatpak: Access to files outside sandbox for apps using persistent= (--persist)
flatpak: Access to files outside sandbox for apps using persistent= (--persist)
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality.
When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application di
Debian
CVE-2024-42472: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to v...
vendor_debian·2024·CVSS 10.0
CVE-2024-42472 [CRITICAL] CVE-2024-42472: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to v...
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not awa
OSV
CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework
osv·2024-08-15·CVSS 10.0
CVE-2024-42472 [CRITICAL] CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not awa
OSV
CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework
osv·2024-08-15·CVSS 10.0
CVE-2024-42472 [CRITICAL] CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality.
When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aw
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622chttps://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051ahttps://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97https://github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788https://github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87http://www.openwall.com/lists/oss-security/2024/08/14/6https://lists.debian.org/debian-lts-announce/2025/03/msg00025.html
2024-08-15
Published