Linux Distros Unpatched Vulnerability : CVE-2024-42472

Linux/Unix hosts at risk from unpatched CVE-2024-42472 affecting Flatpak app integrity and confidentiality.

Reporter	Title	Published	Views	Family All 161
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	18 Sep 202410:14	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Flatpak affects IBM watsonx Assistant for IBM Cloud Pak for Data	15 Apr 202503:49	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Flatpak affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component.	17 Mar 202514:51	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Flatpak affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	21 May 202514:58	–	ibm
Tenable Nessus	Amazon Linux 2023 : bubblewrap (ALAS2023-2024-726)	14 Oct 202400:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : flatpak, flatpak-devel, flatpak-libs (ALAS2023-2024-745)	31 Oct 202400:00	–	nessus
Tenable Nessus	Amazon Linux 2 : flatpak (ALAS-2024-2712)	23 Dec 202400:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0172: bubblewrap and flatpak (ALINUX3-SA-2024:0172)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : bubblewrap and flatpak (ALSA-2024:6356)	5 Sep 202400:00	–	nessus
Tenable Nessus	AlmaLinux 8 : bubblewrap and flatpak (ALSA-2024:6422)	6 Sep 202400:00	–	nessus

Source	Link
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(229463);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/03/05");

  script_cve_id("CVE-2024-42472");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2024-42472");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and
    1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files
    outside of what it would otherwise have access to, which is an attack on integrity and confidentiality.
    When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the
    command-line interface), that means that an application which otherwise doesn't have access to the real
    user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the
    scenes, this directory is actually a bind mount and the data is stored in the per-application directory as
    `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory
    to still work as intended without general home directory access. However, the application does have write
    access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source
    directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the
    application is started, the bind mount will follow the symlink and mount whatever it points to into the
    sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the
    patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by
    two instances of a malicious app running in parallel. Closing the race condition requires updating or
    patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the
    patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with
    `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar
    option, then the version of bubblewrap that needs to be patched is a system copy that is distributed
    separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux
    distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with
    `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is
    included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`.
    This configuration is the default when building from source code. For the 1.14.x stable branch, these
    changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has
    been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10.
    The bundled version of bubblewrap in this release is a Meson wrap subproject, which has been updated to
    0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS
    distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or
    update to newer versions if their stability policy allows it. As a workaround, avoid using applications
    using the `persistent` (`--persist`) permission. (CVE-2024-42472)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-42472");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/08/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched");
  script_require_ports("Host/Debian/dpkg-l", "Host/Debian/release");

  exit(0);
}
include('vdf.inc');

# @tvdl-content
var vuln_data = {
 "metadata": {
  "spec_version": "1.0p"
 },
 "requires": [
  {
   "scope": "scan_config",
   "match": {
    "vendor_unpatched": true
   }
  },
  {
   "scope": "target",
   "match": {
    "os": "linux"
   }
  }
 ],
 "report": {
  "report_type": "unpatched"
 },
 "checks": [
  {
   "product": {
    "name": [
     "flatpak",
     "flatpak-tests",
     "gir1.2-flatpak-1.0",
     "libflatpak-dev",
     "libflatpak-doc",
     "libflatpak0"
    ],
    "type": "dpkg_package"
   },
   "check_algorithm": "dpkg",
   "constraints": [
    {
     "requires": [
      {
       "scope": "target",
       "match": {
        "distro": "debian"
       }
      },
      {
       "scope": "target",
       "match": {
        "os_version": "11"
       }
      }
     ]
    }
   ]
  }
 ]
};

var vdf_res = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result: vdf_res);

05 Mar 2025 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.110

EPSS0.06541

SSVC