Vulnerability Description
In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flatpak | Flatpak | <= 0.8.6 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3895Third Party Advisory
- http://www.securityfocus.com/bid/99346Third Party AdvisoryVDB Entry
- https://bugs.debian.org/865413Issue TrackingPatchThird Party Advisory
- https://github.com/flatpak/flatpak/issues/845Issue TrackingPatchThird Party Advisory
- http://www.debian.org/security/2017/dsa-3895Third Party Advisory
- http://www.securityfocus.com/bid/99346Third Party AdvisoryVDB Entry
- https://bugs.debian.org/865413Issue TrackingPatchThird Party Advisory
- https://github.com/flatpak/flatpak/issues/845Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2017-9780?
CVE-2017-9780 is a vulnerability with a CVSS score of 7.8 (HIGH). In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with ...
How severe is CVE-2017-9780?
CVE-2017-9780 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-9780?
Check the references section above for vendor advisories and patch information. Affected products include: Flatpak Flatpak, Debian Debian Linux.