CVE - CVE-2021-21261

CVE-ID
CVE-2021-21261	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 URL:https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 DEBIAN:DSA-4830 URL:https://www.debian.org/security/2021/dsa-4830 GENTOO:GLSA-202101-21 URL:https://security.gentoo.org/glsa/202101-21 MISC:https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486 URL:https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486 MISC:https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b URL:https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b MISC:https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4 URL:https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4 MISC:https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba URL:https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba MISC:https://github.com/flatpak/flatpak/releases/tag/1.8.5 URL:https://github.com/flatpak/flatpak/releases/tag/1.8.5
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201222	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201222)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)