UBUNTU-CVE-2022-21682
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2022-21682
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-21682.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-21682
- Related
- Published
- 2022-01-13T21:15:00Z
- Modified
- 2022-01-13T21:15:00Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies
finish-argslast in the build. At this point the build directory will have the full access that is specified in the manifest, so runningflatpak buildagainst it will gain those permissions. Normally this will not be done, so this is not problem. However, if--mirror-screenshots-urlis specified, then flatpak-builder will launchflatpak build --nofilesystem=host appstream-utils mirror-screenshotsafter finalization, which can lead to issues even with the--nofilesystem=hostprotection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace theappstream-utilbinary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of--nofilesystem=homeand--nofilesystem=host. - References
Affected packages
Ubuntu:Pro:18.04:LTS / flatpak
Package
- Name
- flatpak
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
0.*
1.*
Ubuntu:20.04:LTS / flatpak
Package
- Name
- flatpak
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected