CVE-2021-21261

HIGH EPSS 42.9%
Published Jan 14, 20215y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Jan 14, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.

CVSS Details

Base Score
8.8
Exploitability
2.0
Impact
6.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
42.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-74

Affected Products 3

VendorProductVersionRange
flatpakflatpak*≥0.11.4  –  <1.8.5
flatpakflatpak*≥1.9.1  –  <1.10.0
debiandebian_linux10.0any

References 8

  • github.com https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba
    Third Party Advisory
  • github.com https://github.com/flatpak/flatpak/releases/tag/1.8.5
    Third Party Advisory
  • github.com https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
    Third Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202101-21
    Third Party Advisory
  • debian.org https://www.debian.org/security/2021/dsa-4830
    Third Party Advisory

Remediation

  • github.com https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
    PatchThird Party Advisory