{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-21381", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T18:09:15.945Z", "dateReserved": "2020-12-22T00:00:00", "datePublished": "2021-03-11T00:00:00"}, "containers": {"cna": {"title": "Sandbox escape via special tokens in .desktop file", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-23T10:06:19.370583"}, "descriptions": [{"lang": "en", "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`."}], "affected": [{"vendor": "flatpak", "product": "flatpak", "versions": [{"version": ">= 0.9.4, < 1.10.2", "status": "affected"}]}], "references": [{"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp"}, {"url": "https://github.com/flatpak/flatpak/pull/4156"}, {"url": "https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961"}, {"url": "https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae"}, {"url": "https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d"}, {"url": "https://github.com/flatpak/flatpak/releases/tag/1.10.2"}, {"name": "DSA-4868", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-4868"}, {"name": "FEDORA-2021-26ad138ffa", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/"}, {"name": "FEDORA-2021-fe7decc595", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/"}, {"name": "GLSA-202312-12", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202312-12"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "cweId": "CWE-74"}]}], "source": {"advisory": "GHSA-xgh4-387p-hqpp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.945Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp", "tags": ["x_transferred"]}, {"url": "https://github.com/flatpak/flatpak/pull/4156", "tags": ["x_transferred"]}, {"url": "https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961", "tags": ["x_transferred"]}, {"url": "https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae", "tags": ["x_transferred"]}, {"url": "https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d", "tags": ["x_transferred"]}, {"url": "https://github.com/flatpak/flatpak/releases/tag/1.10.2", "tags": ["x_transferred"]}, {"name": "DSA-4868", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4868"}, {"name": "FEDORA-2021-26ad138ffa", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/"}, {"name": "FEDORA-2021-fe7decc595", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/"}, {"name": "GLSA-202312-12", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202312-12"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB8FA716-DCCF-4E1B-B683-B5313303ED3E", "versionEndExcluding": "1.10.2", "versionStartIncluding": "0.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`."}, {"lang": "es", "value": "Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En Flatpack desde la versi\u00f3n 0.9.4 y anteriores a la versi\u00f3n 1.10.2, presenta una vulnerabilidad en la funcionalidad \"file forwarding\" que puede ser usada por un atacante para conseguir acceso a archivos que normalmente no estar\u00edan permitidos por los permisos de la aplicaci\u00f3n. Colocando los tokens especiales \"@@\" y/o \"@@u\" en el campo Exec del archivo .desktop de una aplicaci\u00f3n Flatpak, un editor de aplicaciones malicioso puede enga\u00f1ar a Flatpak para que se comporte como si el usuario hubiera elegido abrir un archivo de destino con su aplicaci\u00f3n Flatpak, lo que autom\u00e1ticamente hace que ese archivo est\u00e9 disponible para la aplicaci\u00f3n Flatpak. Esto ha sido corregido en versi\u00f3n 1.10.2. Una soluci\u00f3n m\u00ednima es el primer commit \"`Disallow @@ and @@U usage in desktop files`\". El siguiente commit \"`dir: Reserve the whole @@ prefix`\" y \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" se recomiendan, pero no son estrictamente necesarias. Como soluci\u00f3n, evite instalar aplicaciones Flatpak de fuentes no fiables, o compruebe el contenido de los archivos exportados \".desktop\" en \"exports/share/applications/*.desktop\" (normalmente \"~/.local/share/flatpak/exports/share/applications/*.desktop\" y \"/var/lib/flatpak/exports/share/applications/*.desktop\") para asegurarse de que los nombres literales de los archivos no siguen \"@@\" o \"@@u\""}], "id": "CVE-2021-21381", "lastModified": "2024-11-21T05:48:14.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-11T17:15:12.703", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/pull/4156"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/releases/tag/1.10.2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/"}, {"source": "security-advisories@github.com", "url": "https://security.gentoo.org/glsa/202312-12"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4868"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/pull/4156"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/releases/tag/1.10.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202312-12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4868"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1002", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "flatpak-0:1.0.9-11.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-03-29T00:00:00Z"}, {"advisory": "RHSA-2021:1068", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "flatpak-0:1.6.2-6.el8_3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-04-06T00:00:00Z"}, {"advisory": "RHSA-2021:1074", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "flatpak-0:1.0.9-4.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-04-06T00:00:00Z"}, {"advisory": "RHSA-2021:1073", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "flatpak-0:1.6.2-5.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-04-06T00:00:00Z"}], "bugzilla": {"description": "flatpak: \"file forwarding\" feature can be used to gain unprivileged access to files", "id": "1936985", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1936985"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-284", "details": ["Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.", "A sandbox escape flaw was found in the way flatpak handled special tokens in \".desktop\" files. This flaw allows an attacker to gain access to files that are not ordinarily allowed by the app's permissions. The highest threat from this vulnerability is to confidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u."}, "name": "CVE-2021-21381", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "flatpak", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-03-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21381\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21381\nhttps://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp"], "statement": "This is essentially a sandbox escape flaw and needs a malicious app publisher to execute the exploit.", "threat_severity": "Important", "upstream_fix": "flatpak 1.10.2"}