Vulnerability Details : CVE-2021-21381
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.
Exploit prediction scoring system (EPSS) score for CVE-2021-21381
Probability of exploitation activity in the next 30 days: 0.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 50 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-21381
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
|
8.2
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
1.8
|
5.8
|
NIST |
|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N |
1.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2021-21381
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21381
-
https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae
dir: Refuse to export .desktop files with suspicious uses of @@ tokens · flatpak/flatpak@a7401e6 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
[SECURITY] Fedora 34 Update: flatpak-1.10.2-1.fc34 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
[SECURITY] Fedora 33 Update: flatpak-1.10.2-1.fc33 - package-announce - Fedora Mailing-Lists
-
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
Sandbox escape via special tokens in .desktop file (flatpak#4146) · Advisory · flatpak/flatpak · GitHubThird Party Advisory
-
https://github.com/flatpak/flatpak/pull/4156
Disallow @@ and @@u magic tokens in desktop files by smcv · Pull Request #4156 · flatpak/flatpak · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
[SECURITY] Fedora 33 Update: flatpak-1.10.2-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4868
Debian -- Security Information -- DSA-4868-1 flatpakThird Party Advisory
-
https://security.gentoo.org/glsa/202312-12
Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security
-
https://github.com/flatpak/flatpak/releases/tag/1.10.2
Release Release 1.10.2 · flatpak/flatpak · GitHubRelease Notes;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d
dir: Reserve the whole @@ prefix · flatpak/flatpak@eb7946b · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
[SECURITY] Fedora 34 Update: flatpak-1.10.2-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961
Disallow @@ and @@u usage in desktop files · flatpak/flatpak@8279c58 · GitHubPatch;Third Party Advisory
Products affected by CVE-2021-21381
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*