CVE-2022-21682 - OpenCVE

Vendors	Products
Redhat	Enterprise Linux
Flatpak	Flatpak-builder Flatpak
Fedoraproject	Fedora
Debian	Debian Linux

Link	Resource
https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a	Patch Third Party Advisory
https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa	Patch Third Party Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx	Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
https://security.gentoo.org/glsa/202312-12
https://www.debian.org/security/2022/dsa-5049	Third Party Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-21682", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2023-12-23T10:06:21.099810", "dateReserved": "2021-11-16T00:00:00", "datePublished": "2022-01-13T00:00:00"}, "containers": {"cna": {"title": "flatpak-builder can access files outside the build directory.", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-23T10:06:21.099810"}, "descriptions": [{"lang": "en", "value": "Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`."}], "affected": [{"vendor": "flatpak", "product": "flatpak", "versions": [{"version": ">= 1.11.0, < 1.12.3", "status": "affected"}, {"version": "< 1.10.6", "status": "affected"}]}], "references": [{"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx"}, {"url": "https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a"}, {"url": "https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa"}, {"name": "FEDORA-2022-825ca6bf2b", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/"}, {"name": "DSA-5049", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5049"}, {"name": "FEDORA-2022-7e328bd66c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/"}, {"name": "GLSA-202312-12", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202312-12"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "source": {"advisory": "GHSA-8ch7-5j3h-g4fx", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "613765F7-BD3F-473D-99F7-EDB260050197", "versionEndExcluding": "1.10.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "4789481C-5282-4021-946B-0A75D38F6400", "versionEndExcluding": "1.12.4", "versionStartIncluding": "1.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak-builder:*:*:*:*:*:*:*:*", "matchCriteriaId": "F476472C-7143-4706-9E76-85EA7800A96F", "versionEndExcluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`."}, {"lang": "es", "value": "Flatpak es un marco de distribuci\u00f3n y sandboxing de aplicaciones Linux. Una vulnerabilidad de salto de ruta afecta a las versiones de Flatpak anteriores a 1.12.3 y 1.10.6. flatpak-builder aplica \"finish-args\" en \u00faltimo lugar en la construcci\u00f3n. En este punto, el directorio de construcci\u00f3n tendr\u00e1 el acceso completo que es especificado en el manifiesto, por lo que la ejecuci\u00f3n de \"flatpak build\" contra \u00e9l ganar\u00e1 esos permisos. Normalmente esto no se realiza, por lo que no es un problema. Sin embargo, si se especifica \"--mirror-screenshots-url\", entonces flatpak-builder lanzar\u00e1 \"flatpak build --nofilesystem=host appstream-utils mirror-screenshots\" tras la finalizaci\u00f3n, lo que puede conllevar a problemas incluso con la protecci\u00f3n \"--nofilesystem=host\". En un uso normal, el \u00fanico problema es que estos directorios vac\u00edos pueden crearse en cualquier lugar donde el usuario tenga permisos de escritura. Sin embargo, una aplicaci\u00f3n maliciosa podr\u00eda reemplazar el binario \"appstream-util\" y potencialmente hacer algo m\u00e1s hostil. Esto ha sido resuelto en Flatpak versiones 1.12.3 y 1.10.6, al cambiar el comportamiento de \"--nofilesystem=home\" y \"--nofilesystem=host\""}], "id": "CVE-2022-21682", "lastModified": "2023-12-23T10:15:09.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-01-13T21:15:08.690", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/"}, {"source": "security-advisories@github.com", "url": "https://security.gentoo.org/glsa/202312-12"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5049"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

JSON object

JSON object

JSON object