Vulnerability Description
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flatpak | Flatpak | < 1.10.7 |
| Flatpak | Flatpak-Builder | < 1.2.2 |
| Fedoraproject | Fedora | 35 |
| Redhat | Enterprise Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fcPatchThird Party Advisory
- https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6PatchThird Party Advisory
- https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fxPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202312-12
- https://www.debian.org/security/2022/dsa-5049Third Party Advisory
- https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fcPatchThird Party Advisory
- https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6PatchThird Party Advisory
- https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fxPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202312-12
- https://www.debian.org/security/2022/dsa-5049Third Party Advisory
FAQ
What is CVE-2022-21682?
CVE-2022-21682 is a vulnerability with a CVSS score of 7.7 (HIGH). Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last ...
How severe is CVE-2022-21682?
CVE-2022-21682 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21682?
Check the references section above for vendor advisories and patch information. Affected products include: Flatpak Flatpak, Flatpak Flatpak-Builder, Fedoraproject Fedora, Redhat Enterprise Linux, Debian Debian Linux.