Multiple vulnerabilities in flatpak
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
Updated: 14.03.2021
Added vulnerability #2.
1) Memory leak
EUVDB-ID: #VU51413
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak. A remote attacker can force the application to leak memory and perform denial of service attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFlatpak: 1.10.0 - 1.10.1
CPE2.3 External linkshttps://github.com/flatpak/flatpak/releases/tag/1.10.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU51443
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-21381
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation within the "file forwarding" feature. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFlatpak: 0.9.4 - 1.10.1
CPE2.3- cpe:2.3:a:flatpak:flatpak:0.99.3:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:1.8.5:*:*:*:*:*:*:*
https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961
https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae
https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d
https://github.com/flatpak/flatpak/pull/4156
https://github.com/flatpak/flatpak/releases/tag/1.10.2
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
https://www.debian.org/security/2021/dsa-4868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
