8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
49.4%
Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. In Flatpack since version 0.9.4 and before
version 1.10.2 has a vulnerability in the “file forwarding” feature which
can be used by an attacker to gain access to files that would not
ordinarily be allowed by the app’s permissions. By putting the special
tokens @@
and/or @@u
in the Exec field of a Flatpak app’s .desktop
file, a malicious app publisher can trick flatpak into behaving as though
the user had chosen to open a target file with their Flatpak app, which
automatically makes that file available to the Flatpak app. This is fixed
in version 1.10.2. A minimal solution is the first commit “Disallow @@ and @@U usage in desktop files
”. The follow-up commits “dir: Reserve the whole @@ prefix
” and “dir: Refuse to export .desktop files with suspicious uses of @@ tokens
” are recommended, but not strictly required.
As a workaround, avoid installing Flatpak apps from untrusted sources, or
check the contents of the exported .desktop
files in
exports/share/applications/*.desktop
(typically
~/.local/share/flatpak/exports/share/applications/*.desktop
and
/var/lib/flatpak/exports/share/applications/*.desktop
) to make sure that
literal filenames do not follow @@
or @@u
.
github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961
github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae
github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d
github.com/flatpak/flatpak/issues/4146
github.com/flatpak/flatpak/pull/4156
github.com/flatpak/flatpak/releases/tag/1.10.2
github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
launchpad.net/bugs/cve/CVE-2021-21381
nvd.nist.gov/vuln/detail/CVE-2021-21381
security-tracker.debian.org/tracker/CVE-2021-21381
ubuntu.com/security/notices/USN-4951-1
www.cve.org/CVERecord?id=CVE-2021-21381
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
49.4%