Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-43860 CVE-2022-21682

An incorrect authorization vulnerability was found in Flatpak. Flatpak does not properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime in the case that there's a null byte in the metadata file of an app. This issue allows apps to grant themselves permissions without the user's consent. (CVE-2021-43860) A path traversal vulnerability was found in Flatpak. This happens when flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. (CVE-2022-21682)

Source

ALAS2022-2022-021

Amazon Linux 2022 Security Advisory: ALAS-2022-021
Advisory Release Date: 2022-01-31 22:21 Pacific
Advisory Updated Date: 2022-02-03 18:40 Pacific

Severity: Medium

References: CVE-2021-43860 CVE-2022-21682

Issue Overview:

An incorrect authorization vulnerability was found in Flatpak. Flatpak does not properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime in the case that there's a null byte in the metadata file of an app. This issue allows apps to grant themselves permissions without the user's consent. (CVE-2021-43860)

A path traversal vulnerability was found in Flatpak. This happens when flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. (CVE-2022-21682)

Affected Packages:

flatpak

Issue Correction:
Run dnf update --releasever=2022.0.20220202 flatpak to update your system.

New Packages:

aarch64:
    flatpak-libs-debuginfo-1.12.4-1.amzn2022.aarch64
    flatpak-debuginfo-1.12.4-1.amzn2022.aarch64
    flatpak-session-helper-1.12.4-1.amzn2022.aarch64
    flatpak-session-helper-debuginfo-1.12.4-1.amzn2022.aarch64
    flatpak-tests-debuginfo-1.12.4-1.amzn2022.aarch64
    flatpak-devel-1.12.4-1.amzn2022.aarch64
    flatpak-libs-1.12.4-1.amzn2022.aarch64
    flatpak-debugsource-1.12.4-1.amzn2022.aarch64
    flatpak-tests-1.12.4-1.amzn2022.aarch64
    flatpak-1.12.4-1.amzn2022.aarch64

i686:
    flatpak-debuginfo-1.12.4-1.amzn2022.i686
    flatpak-debugsource-1.12.4-1.amzn2022.i686
    flatpak-tests-debuginfo-1.12.4-1.amzn2022.i686
    flatpak-1.12.4-1.amzn2022.i686
    flatpak-libs-debuginfo-1.12.4-1.amzn2022.i686
    flatpak-devel-1.12.4-1.amzn2022.i686
    flatpak-tests-1.12.4-1.amzn2022.i686
    flatpak-libs-1.12.4-1.amzn2022.i686
    flatpak-session-helper-debuginfo-1.12.4-1.amzn2022.i686
    flatpak-session-helper-1.12.4-1.amzn2022.i686

noarch:
    flatpak-selinux-1.12.4-1.amzn2022.noarch

src:
    flatpak-1.12.4-1.amzn2022.src

x86_64:
    flatpak-debuginfo-1.12.4-1.amzn2022.x86_64
    flatpak-session-helper-1.12.4-1.amzn2022.x86_64
    flatpak-tests-debuginfo-1.12.4-1.amzn2022.x86_64
    flatpak-session-helper-debuginfo-1.12.4-1.amzn2022.x86_64
    flatpak-devel-1.12.4-1.amzn2022.x86_64
    flatpak-libs-1.12.4-1.amzn2022.x86_64
    flatpak-debugsource-1.12.4-1.amzn2022.x86_64
    flatpak-1.12.4-1.amzn2022.x86_64
    flatpak-tests-1.12.4-1.amzn2022.x86_64
    flatpak-libs-debuginfo-1.12.4-1.amzn2022.x86_64

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ALAS2022-2022-021

ALAS2022-2022-021

Vulmon Search

About

Products

Connect