CVE-2021-21261

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-21261
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21261.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21261
Aliases
  • GHSA-4ppf-fxf6-vxg2
Downstream
Related
Published
2021-01-14T20:15:12.360Z
Modified
2026-05-14T04:00:23.683189546Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the flatpak-portal service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (flatpak-portal, also known by its D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the flatpak-portal service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ],
            "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/flatpak/flatpak

Affected ranges

Type
GIT
Repo
https://github.com/flatpak/flatpak
Events
Introduced
b5571fa0397d1ce0f1aaf9cf6bfe2e60cb90895d
Fixed
58dc0ea96c1648cdec341d7d74c260c3d62eb2bc
Introduced
d395763327116b3b04a8d6d4c33a24074700d2de
Fixed
649ad5fe49945b834da0d616a24400c41666048c
Fixed
6d1773d2a54dde9b099043f07a2094a4f1c2f486
Fixed
6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
Fixed
aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
Fixed
cc1401043c075268ecc652eac557ef8076b5eaba
Database specific 
{
    "cpe": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.11.4"
        },
        {
            "fixed": "1.8.5"
        },
        {
            "introduced": "1.9.1"
        },
        {
            "fixed": "1.10.0"
        }
    ],
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.8.1
0.11.8.2
0.11.8.3
0.99.1
0.99.2
0.99.3
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.1
1.7.2
1.7.3
1.8.0
1.8.2
1.8.3
1.8.4
1.9.1
1.9.2
1.9.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21261.json"