CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42472 – Flatpak may allow access to files outside sandbox for certain apps
https://notcve.org/view.php?id=CVE-2024-42472
15 Aug 2024 — Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to th... • https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-32462 – Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
https://notcve.org/view.php?id=CVE-2024-32462
18 Apr 2024 — Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to p... • http://www.openwall.com/lists/oss-security/2024/04/18/5 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-28101 – Flatpak metadata with ANSI control codes can cause misleading terminal output
https://notcve.org/view.php?id=CVE-2023-28101
16 Mar 2023 — Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI ... • https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-28100 – TIOCLINUX can send commands outside sandbox if running on a virtual console
https://notcve.org/view.php?id=CVE-2023-28100
16 Mar 2023 — Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical termi... • https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 • CWE-20: Improper Input Validation •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0CVE-2022-21682 – flatpak-builder can access files outside the build directory.
https://notcve.org/view.php?id=CVE-2022-21682
13 Jan 2022 — Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will l... • https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-43860 – Permissions granted to applications can be hidden from the user at install time
https://notcve.org/view.php?id=CVE-2021-43860
12 Jan 2022 — Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata"... • https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-41133 – Sandbox bypass via recent VFS-manipulating syscalls
https://notcve.org/view.php?id=CVE-2021-41133
08 Oct 2021 — Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccom... • http://www.openwall.com/lists/oss-security/2021/10/26/9 • CWE-20: Improper Input Validation •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0CVE-2021-21381 – Sandbox escape via special tokens in .desktop file
https://notcve.org/view.php?id=CVE-2021-21381
11 Mar 2021 — Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had... • https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21261 – Flatpak sandbox escape via spawn portal
https://notcve.org/view.php?id=CVE-2021-21261
14 Jan 2021 — Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sand... • https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10063 – flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
https://notcve.org/view.php?id=CVE-2019-10063
26 Mar 2019 — Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has... • https://access.redhat.com/errata/RHSA-2019:1024 • CWE-20: Improper Input Validation CWE-266: Incorrect Privilege Assignment •