Flatpak Vulnerability: Update Required to Prevent Attacks
CVE-2024-42472

10CRITICAL

Key Information:

Vendor

Flatpak

Status
Flatpak
Vendor
CVE Published:
15 August 2024

What is CVE-2024-42472?

Flatpak is a widely used Linux application sandboxing framework that provides an isolated environment for apps to run securely. However, earlier versions of Flatpak (before 1.14.0 and 1.15.10) contained a vulnerability involving the use of persistent directories. This flaw allowed a malicious or compromised Flatpak application to exploit the 'persistent=subdir' permission, which grants write access to a directory that a properly sandboxed app would not ordinarily have. By replacing the source directory used with this permission with a symlink, attackers could manipulate the application's bind mount, leading to unauthorized access to the host filesystem. Users and developers are advised to patch their systems by upgrading to the latest versions of Flatpak and bubblewrap to mitigate risks associated with this vulnerability. Avoiding the use of applications that implement the persistent permission is also recommended as a precautionary measure.

Affected Version(s)

flatpak < 1.14.10 < 1.14.10

flatpak >= 1.15.0, < 1.15.10 < 1.15.0, 1.15.10

References

https://github.com/flatpak/flatpak/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/containers/bubblewrap/commit/68e75c309...
x_refsource_MISC
https://github.com/containers/bubblewrap/commit/a253257cd...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

.