#VU59654 Permissions, Privileges, and Access Controls in Flatpak - CVE-2021-43860
Published: January 17, 2022 / Updated: February 3, 2022
Vulnerability identifier: #VU59654
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-43860
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flatpak
Flatpak
Software vendor:
Flatpak
Flatpak
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, which leads to security restrictions bypass and privilege escalation.
Remediation
Install updates from vendor's website.
External links
- https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
- https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042
- https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451
- https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
- https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
- https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
- https://github.com/flatpak/flatpak/releases/tag/1.12.3
- https://github.com/flatpak/flatpak/releases/tag/1.10.6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
- https://github.com/flatpak/flatpak/releases/tag/1.8.7