CVE-2022-21682

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21682

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21682.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-21682

Aliases

GHSA-8ch7-5j3h-g4fx

Related

Published

2022-01-13T21:15:08Z

Modified

2024-09-18T03:20:08.089222Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies finish-args last in the build. At this point the build directory will have the full access that is specified in the manifest, so running flatpak build against it will gain those permissions. Normally this will not be done, so this is not problem. However, if --mirror-screenshots-url is specified, then flatpak-builder will launch flatpak build --nofilesystem=host appstream-utils mirror-screenshots after finalization, which can lead to issues even with the --nofilesystem=host protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the appstream-util binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of --nofilesystem=home and --nofilesystem=host.

References

Affected packages

Debian:11 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.7-0+deb11u1

Affected versions

1.*

1.10.2-3

1.10.3-0+deb11u1~bpo11+1

1.10.3-0+deb11u1

1.10.5-0+deb11u1~bpo10+1

1.10.5-0+deb11u1

1.10.7-0+deb11u1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/flatpak/flatpak

Affected ranges

Type: GIT
Repo: https://github.com/flatpak/flatpak
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

445bddeee657fdc8d2a0a1f0de12975400d4fc1a

Fixed

4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa

Type: GIT
Repo: https://github.com/flatpak/flatpak-builder
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4e9fb6a3e6c405f10797f12cc5c8c0a6ce99282d

Affected versions

0.*

0.1

0.10.0

0.10.1

0.10.10

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.11.8.1

0.11.8.2

0.11.8.3

0.2

0.2.1

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.4.0

0.4.1

0.4.10

0.4.11

0.4.12

0.4.13

0.4.2

0.4.2.1

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.8.0

0.8.1

0.9.1

0.9.10

0.9.11

0.9.12

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.98

0.9.98.1

0.9.98.2

0.9.99

0.99.1

0.99.2

0.99.3

1.*

1.0.0

1.0.1

1.0.10

1.0.11

1.0.12

1.0.14

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.1

1.10.2

1.11.1

1.11.2

1.11.3

1.12.0

1.12.1

1.12.2

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.7.1

1.7.2

1.7.3

1.8.0

1.9.1

1.9.2

1.9.3