CVE-2022-21682

MEDIUM
Published Jan 13, 20224y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jan 13, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 8

VendorProductVersionRange
flatpakflatpak* <1.10.7
flatpakflatpak*≥1.11.1  –  <1.12.4
flatpakflatpak-builder* <1.2.2
fedoraprojectfedora35any
redhatenterprise_linux8.0any
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any

References 7

  • github.com https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
    PatchThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/
  • security.gentoo.org https://security.gentoo.org/glsa/202312-12
  • debian.org https://www.debian.org/security/2022/dsa-5049
    Third Party Advisory

Remediation

  • github.com https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
    PatchThird Party Advisory
  • github.com https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
    PatchThird Party Advisory