Multiple vulnerabilities in flatpak



Published: 2021-03-11 | Updated: 2021-03-14
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-21381
CWE-ID CWE-401
CWE-74
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Flatpak
Server applications / Frameworks for developing and running applications

Vendor Flatpak

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Updated: 14.03.2021

Added vulnerability #2.

1) Memory leak

EUVDB-ID: #VU51413

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Flatpak: 1.10.0 - 1.10.1

External links

http://github.com/flatpak/flatpak/releases/tag/1.10.2


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU51443

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21381

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper input validation within the "file forwarding" feature. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Flatpak: 0.9.4 - 1.10.1

External links

http://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961
http://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae
http://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d
http://github.com/flatpak/flatpak/pull/4156
http://github.com/flatpak/flatpak/releases/tag/1.10.2
http://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
http://www.debian.org/security/2021/dsa-4868


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###