File Permission Vulnerability in Flatpak by Flatpak
CVE-2017-9780

7.8HIGH

Key Information:

Vendor

Flatpak

Status
Flatpak
Vendor
CVE Published:
21 June 2017

What is CVE-2017-9780?

In versions of Flatpak prior to 0.8.7, a vulnerability exists that allows a third-party app repository to deploy applications with inappropriate file permissions. This can enable local attackers to execute setuid executables or write to world-writable locations, potentially compromising system security. Particularly concerning is the exploitation involving the 'system helper' component, where malicious files may be owned by root, allowing for severe security implications, including the execution of setuid root binaries.

References

https://github.com/flatpak/flatpak/issues/845
x_refsource_CONFIRM
https://bugs.debian.org/865413
x_refsource_CONFIRM
http://www.securityfocus.com/bid/99346
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.