CVE-2021-43860

HIGH
Published Jan 12, 20224y ago · Modified Jun 17, 20262w ago
8.6 CVSS 3.1
High
Find Similar
Published Jan 12, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.

CVSS Details

Base Score
8.6
Exploitability
1.8
Impact
6.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-269 Improper Privilege Management Authorization
CWE-276

Affected Products 7

VendorProductVersionRange
flatpakflatpak* <1.10.6
flatpakflatpak*≥1.11.1  –  ≤1.12.3
fedoraprojectfedora35any
redhatenterprise_linux8.0any
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any

References 11

  • github.com https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/releases/tag/1.10.6
    Release NotesThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/releases/tag/1.12.3
    Release NotesThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
    PatchThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
  • security.gentoo.org https://security.gentoo.org/glsa/202312-12
  • debian.org https://www.debian.org/security/2022/dsa-5049
    Third Party Advisory

Remediation

  • github.com https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
    PatchThird Party Advisory