Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
641
VMScore

CVE-2017-9780

Published: 21/06/2017 Updated: 03/10/2019
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 641
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Flatpak

Vulnerability Summary

In Flatpak prior to 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

flatpak flatpak

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: flatpak: CVE-2017-9780: Flatpak security issue
Debian Bug report logs - #865413 flatpak: CVE-2017-9780: Flatpak security issue Package: flatpak; Maintainer for flatpak is Utopia Maintenance Team <pkg-utopia-maintainers@listsaliothdebianorg>; Source for flatpak is src:flatpak (PTS, buildd, popcon) Reported by: Simon McVittie <smcv@debianorg> Date: Wed, 21 Jun ...
Debian Security Advisories: DSA-3895-1 flatpak -- security update
It was discovered that Flatpak, an application deployment framework for desktop apps insufficiently restricted file permissinons in third-party repositories, which could result in privilege escalation For the stable distribution (stretch), this problem has been fixed in version 085-2+deb9u1 For the unstable distribution (sid), this problem has ...
Red Hat: CVE-2017-9780
In Flatpak before 087, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location In the case of the "system help ...

References

CWE-732https://github.com/flatpak/flatpak/issues/845https://bugs.debian.org/865413http://www.securityfocus.com/bid/99346http://www.debian.org/security/2017/dsa-3895https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865413https://nvd.nist.govhttps://www.debian.org/security/./dsa-3895
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2021-35000CVE-2024-4439unauthorizedCVE-2024-0042CVE-2024-31848CVE-2023-40694cache poisoningCVE-2024-23707firmware
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook