Debian update for flatpak
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-21261 |
| CWE-ID | CWE-94 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
flatpak (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Code Injection
EUVDB-ID: #VU49587
Risk: Low
CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear]
CVE-ID: CVE-2021-21261
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local application to elevate privileges on the system.
The vulnerability exists due to improper input validation when processing environment variables, passed from a sandboxed process to a non-sandboxed process on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app can set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox.
MitigationUpdate flatpak package to version 1.2.5-0+deb10u2.
Vulnerable software versionsflatpak (Debian package): 0.11.4-1 - 1.9.2-1
CPE2.3- cpe:2.3:a:debian:flatpak_debian_package:0.11.4-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:flatpak_debian_package:0.11.5-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:flatpak_debian_package:0.11.6-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2021/dsa-4830
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
