Argument Injection Affecting flatpak/flatpak package, versions [,1.10.9) [1.11.1,1.12.9) [1.13.1,1.14.6) [1.15.0,1.15.8)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-FLATPAKFLATPAK-6670037
- published 21 Apr 2024
- disclosed 18 Apr 2024
- credit Gergo Koteles
Introduced: 18 Apr 2024
New CVE-2024-32462 Open this link in a new tabHow to fix?
Upgrade flatpak/flatpak
to version 1.10.9, 1.12.9, 1.14.6, 1.15.8 or higher.
Overview
Affected versions of this package are vulnerable to Argument Injection in long option names passed to the xdg-desktop-portal
interface org.freedesktop.portal.Background.RequestBackground
, leading to sandbox escape. An attacker can have additional commands executed that would normally not be allowed by passing them into a long option argument inside a --command
argument, e.g. flatpak run --command=--bind org.gnome.gedit / /host ls -l /host
.
This is also exploitable by passing malicious arguments directly to flatpak run
.
Workaround
xdg-desktop-portal
has counteracted this vulnerability by allowing only .desktop
files for commands that do not start with -
. Using a patched version will avoid the vulnerability in flatpak
.