Veracode Vulnerability DatabaseVERACODE:29020Remote Code Execution (RCE)
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Flatpak is vulnerable to remote code execution. The vulnerability exist because of a bug in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape).
References
github.com/flatpak/flatpak/commit/57416f380600d9754df12baf5b227144ff1bb54d
github.com/flatpak/flatpak/commit/6a11007021658518c088ba0cc5e4da27962a940a
github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486
github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba
github.com/flatpak/flatpak/commit/dcd24941c7087c5f7e8033abe50b178ac02a34af
github.com/flatpak/flatpak/commit/fb1eaefbceeb73f02eb1bc85865d74a414faf8b8
github.com/flatpak/flatpak/releases/tag/1.8.5
github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
security-tracker.debian.org/tracker/CVE-2021-21261
security.gentoo.org/glsa/202101-21
www.debian.org/security/2021/dsa-4830
Related
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C