Homepage
About Snyk

Argument Injection Affecting flatpak/flatpak package, versions [,1.10.9) [1.11.1,1.12.9) [1.13.1,1.14.6) [1.15.0,1.15.8)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.04% (13th percentile)
Expand this section
Red Hat
8.4 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UNMANAGED-FLATPAKFLATPAK-6670037
  • published 21 Apr 2024
  • disclosed 18 Apr 2024
  • credit Gergo Koteles
Report a new vulnerability Found a mistake?

Introduced: 18 Apr 2024

New CVE-2024-32462 Open this link in a new tab
CWE-88 Open this link in a new tab

How to fix?

Upgrade flatpak/flatpak to version 1.10.9, 1.12.9, 1.14.6, 1.15.8 or higher.

Overview

Affected versions of this package are vulnerable to Argument Injection in long option names passed to the xdg-desktop-portal interface org.freedesktop.portal.Background.RequestBackground, leading to sandbox escape. An attacker can have additional commands executed that would normally not be allowed by passing them into a long option argument inside a --command argument, e.g. flatpak run --command=--bind org.gnome.gedit / /host ls -l /host.

This is also exploitable by passing malicious arguments directly to flatpak run.

Workaround

xdg-desktop-portal has counteracted this vulnerability by allowing only .desktop files for commands that do not start with -. Using a patched version will avoid the vulnerability in flatpak.