#VU49587 Code Injection in Flatpak - CVE-2021-21261
Vulnerability identifier: #VU49587
Vulnerability risk: Low
CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-94
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Flatpak
Server applications /
Frameworks for developing and running applications
Vendor: Flatpak
Description
The vulnerability allows a local application to elevate privileges on the system.
The vulnerability exists due to improper input validation when processing environment variables, passed from a sandboxed process to a non-sandboxed process on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app can set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Flatpak: 0.11.4 - 0.99.3, 1.0.0 - 1.0.9, 1.1.0 - 1.1.3, 1.2.0 - 1.2.5, 1.3.0 - 1.3.4, 1.4.0 - 1.4.4, 1.5.0 - 1.5.2, 1.6.0 - 1.6.5, 1.7.1 - 1.7.3, 1.8.0 - 1.8.4, 1.9.1 - 1.9.3
External links
https://github.com/flatpak/flatpak/commit/57416f380600d9754df12baf5b227144ff1bb54d
https://github.com/flatpak/flatpak/commit/6a11007021658518c088ba0cc5e4da27962a940a
https://github.com/flatpak/flatpak/commit/dcd24941c7087c5f7e8033abe50b178ac02a34af
https://github.com/flatpak/flatpak/commit/fb1eaefbceeb73f02eb1bc85865d74a414faf8b8
https://github.com/flatpak/flatpak/releases/tag/1.8.5
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
https://www.debian.org/security/2021/dsa-4830
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
