7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
15.6%
Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0,
Flatpak apps with direct access to AF_UNIX sockets such as those used by
Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS
services into treating the Flatpak app as though it was an ordinary,
non-sandboxed host-OS process. They can do this by manipulating the VFS
using recent mount-related syscalls that are not blocked by Flatpak’s
denylist seccomp filter, in order to substitute a crafted /.flatpak-info
or make that file disappear entirely. Flatpak apps that act as clients for
AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse
can escalate the privileges that the corresponding services will believe
the Flatpak app has. Note that protocols that operate entirely over the
D-Bus session bus (user bus), system bus or accessibility bus are not
affected by this. This is due to the use of a proxy process
xdg-dbus-proxy
, whose VFS cannot be manipulated by the Flatpak app, when
interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0,
and as of time of publication, a patch for version 1.8.2 is being planned.
There are no workarounds aside from upgrading to a patched version.
Author | Note |
---|---|
alexmurray | Requires libseccomp>=2.5.0 - this is only in the updates pocket in focal and bionic so libseccomp needs to be published to the security pocket in those releases as well to ensure this vulnerability is properly mitigated. |
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
15.6%