Published: 11/03/2021 Updated: 23/12/2023

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.2 | Impact Score: 5.8 | Exploitability Score: 1.8

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an malicious user to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.

Vulnerable Product	Search on Vulmon	Subscribe to Product
flatpak flatpak
debian debian linux 10.0
fedoraproject fedora 33
fedoraproject fedora 34

Anton Lydike discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could be bypassed via a malicious desktop file For the stable distribution (buster), this problem has been fixed in version 125-0+deb10u4 We recommend that you upgrade your flatpak packages For the detailed security status of fl ...

A sandbox escape flaw was found in the way flatpak handled special tokens in "desktop" files This flaw allows an attacker to gain access to files that are not ordinarily allowed by the app's permissions The highest threat from this vulnerability is to confidentiality and integrity (CVE-2021-21381) ...

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux In Flatpack since version 094 and before version 1102 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions By putting the spe ...

Flatpack since version 094 and before version 1102 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's desktop file, a malicious app publis ...

CWE-74 https://github.com/flatpak/flatpak/pull/4156 https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961 https://github.com/flatpak/flatpak/releases/tag/1.10.2 https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d https://www.debian.org/security/2021/dsa-4868 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/https://security.gentoo.org/glsa/202312-12 https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4868

CVE-2021-21381

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect