CVE-2021-41133

{"id": "CVE-2021-41133", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2021-10-08T14:15:08.723", "references": [{"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9", "tags": ["Mailing List", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/", "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202312-12", "source": "security-advisories@github.com"}, {"url": "https://www.debian.org/security/2021/dsa-4984", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version."}, {"lang": "es", "value": "Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En versiones anteriores a 1.10.4 y 1.12.0, las aplicaciones Flatpak con acceso directo a los sockets AF_UNIX, como los usados por Wayland, Pipewire o pipewire-pulse, pueden enga\u00f1ar a los portales y otros servicios del sistema operativo anfitri\u00f3n para que traten la aplicaci\u00f3n Flatpak como si fuera un proceso ordinario del Sistema Operativo anfitri\u00f3n sin sandbox. Pueden hacer esto al manipular el VFS usando recientes llamadas al sistema relacionadas con el montaje que no est\u00e1n bloqueadas por el filtro seccomp de Flatpak, para sustituir un \"/.flatpak-info\" dise\u00f1ado o hacer que ese archivo desaparezca por completo. Las aplicaciones Flatpak que act\u00faan como clientes de sockets AF_UNIX como los usados por Wayland, Pipewire o pipewire-pulse pueden escalar los privilegios que los servicios correspondientes creer\u00e1n que presenta la aplicaci\u00f3n Flatpak. Ten en cuenta que los protocolos que operan completamente sobre el bus de sesi\u00f3n D-Bus (bus de usuario), el bus de sistema o el bus de accesibilidad no est\u00e1n afectados por esto. Esto es debido al uso de un proceso proxy \"xdg-dbus-proxy\", cuyo VFS no puede ser manipulado por la app Flatpak, cuando interact\u00faa con estos buses. Se presentan parches para las versiones 1.10.4 y 1.12.0, y en el momento de la publicaci\u00f3n, se est\u00e1 planeando un parche para la versi\u00f3n 1.8.2. No se presentan soluciones aparte de la actualizaci\u00f3n a una versi\u00f3n parcheada"}], "lastModified": "2023-12-23T10:15:08.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69BAD0B1-DDB3-46FE-8AEB-BF7203829E07", "versionEndExcluding": "1.8.2"}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8521E68-800E-4633-9A6D-2CDDA84B77F1", "versionEndExcluding": "1.10.4", "versionStartIncluding": "1.10.0"}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00DC4C26-B1FD-4244-85CD-8507B0BFD961", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.11.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}