Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-41133 (GCVE-0-2021-41133)
Vulnerability from cvelistv5 – Published: 2021-10-08 00:00 – Updated: 2024-08-04 02:59
VLAI
EPSS
Title
Sandbox bypass via recent VFS-manipulating syscalls
Summary
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
Severity
8.8 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
14 references
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flatpak:flatpak:1.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:flatpak:flatpak:1.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:flatpak:flatpak:1.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "flatpak",
"vendor": "flatpak",
"versions": [
{
"lessThanOrEqual": "1.10.4",
"status": "affected",
"version": "1.10.0",
"versionType": "custom"
},
{
"lessThan": "1.12.0",
"status": "affected",
"version": "1.11.0",
"versionType": "custom"
},
{
"lessThan": "1.8.2",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "34"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "33"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "11.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-41133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:07:06.539565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:14:27.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.388Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"
},
{
"name": "FEDORA-2021-4b201d15e6",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"
},
{
"name": "DSA-4984",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4984"
},
{
"name": "[oss-security] 20211026 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9"
},
{
"name": "FEDORA-2021-c5a9c85737",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"
},
{
"name": "GLSA-202312-12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202312-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flatpak",
"vendor": "flatpak",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c= 1.8.2"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.4"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-23T10:06:26.199Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"
},
{
"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"
},
{
"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"
},
{
"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"
},
{
"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"
},
{
"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"
},
{
"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"
},
{
"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"
},
{
"name": "FEDORA-2021-4b201d15e6",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"
},
{
"name": "DSA-4984",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4984"
},
{
"name": "[oss-security] 20211026 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9"
},
{
"name": "FEDORA-2021-c5a9c85737",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"
},
{
"name": "GLSA-202312-12",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202312-12"
}
],
"source": {
"advisory": "GHSA-67h7-w3jq-vh4q",
"discovery": "UNKNOWN"
},
"title": "Sandbox bypass via recent VFS-manipulating syscalls"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41133",
"datePublished": "2021-10-08T00:00:00.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:59:31.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-41133",
"date": "2026-05-30",
"epss": "0.00061",
"percentile": "0.19152"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-41133\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-10-08T14:15:08.723\",\"lastModified\":\"2024-11-21T06:25:33.023\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.\"},{\"lang\":\"es\",\"value\":\"Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En versiones anteriores a 1.10.4 y 1.12.0, las aplicaciones Flatpak con acceso directo a los sockets AF_UNIX, como los usados por Wayland, Pipewire o pipewire-pulse, pueden enga\u00f1ar a los portales y otros servicios del sistema operativo anfitri\u00f3n para que traten la aplicaci\u00f3n Flatpak como si fuera un proceso ordinario del Sistema Operativo anfitri\u00f3n sin sandbox. Pueden hacer esto al manipular el VFS usando recientes llamadas al sistema relacionadas con el montaje que no est\u00e1n bloqueadas por el filtro seccomp de Flatpak, para sustituir un \\\"/.flatpak-info\\\" dise\u00f1ado o hacer que ese archivo desaparezca por completo. Las aplicaciones Flatpak que act\u00faan como clientes de sockets AF_UNIX como los usados por Wayland, Pipewire o pipewire-pulse pueden escalar los privilegios que los servicios correspondientes creer\u00e1n que presenta la aplicaci\u00f3n Flatpak. Ten en cuenta que los protocolos que operan completamente sobre el bus de sesi\u00f3n D-Bus (bus de usuario), el bus de sistema o el bus de accesibilidad no est\u00e1n afectados por esto. Esto es debido al uso de un proceso proxy \\\"xdg-dbus-proxy\\\", cuyo VFS no puede ser manipulado por la app Flatpak, cuando interact\u00faa con estos buses. Se presentan parches para las versiones 1.10.4 y 1.12.0, y en el momento de la publicaci\u00f3n, se est\u00e1 planeando un parche para la versi\u00f3n 1.8.2. No se presentan soluciones aparte de la actualizaci\u00f3n a una versi\u00f3n parcheada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.8.2\",\"matchCriteriaId\":\"69BAD0B1-DDB3-46FE-8AEB-BF7203829E07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.10.0\",\"versionEndExcluding\":\"1.10.4\",\"matchCriteriaId\":\"E8521E68-800E-4633-9A6D-2CDDA84B77F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.11.1\",\"versionEndExcluding\":\"1.12.1\",\"matchCriteriaId\":\"00DC4C26-B1FD-4244-85CD-8507B0BFD961\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/10/26/9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202312-12\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.debian.org/security/2021/dsa-4984\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/10/26/9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202312-12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2021/dsa-4984\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/\", \"name\": \"FEDORA-2021-4b201d15e6\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2021/dsa-4984\", \"name\": \"DSA-4984\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/26/9\", \"name\": \"[oss-security] 20211026 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/\", \"name\": \"FEDORA-2021-c5a9c85737\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202312-12\", \"name\": \"GLSA-202312-12\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T02:59:31.388Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-41133\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-30T16:07:06.539565Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:flatpak:flatpak:1.10.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:flatpak:flatpak:1.11.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:flatpak:flatpak:1.8.0:*:*:*:*:*:*:*\"], \"vendor\": \"flatpak\", \"product\": \"flatpak\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.10.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.10.4\"}, {\"status\": \"affected\", \"version\": \"1.11.0\", \"lessThan\": \"1.12.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.8.0\", \"lessThan\": \"1.8.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\"], \"vendor\": \"fedoraproject\", \"product\": \"fedora\", \"versions\": [{\"status\": \"affected\", \"version\": \"34\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\"], \"vendor\": \"fedoraproject\", \"product\": \"fedora\", \"versions\": [{\"status\": \"affected\", \"version\": \"33\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\"], \"vendor\": \"debian\", \"product\": \"debian_linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-30T16:11:33.580Z\"}}], \"cna\": {\"title\": \"Sandbox bypass via recent VFS-manipulating syscalls\", \"source\": {\"advisory\": \"GHSA-67h7-w3jq-vh4q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"flatpak\", \"product\": \"flatpak\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.8.0, \u003c= 1.8.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.10.0, \u003c 1.10.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.11.0, \u003c 1.12.0\"}]}], \"references\": [{\"url\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/\", \"name\": \"FEDORA-2021-4b201d15e6\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.debian.org/security/2021/dsa-4984\", \"name\": \"DSA-4984\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/26/9\", \"name\": \"[oss-security] 20211026 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/\", \"name\": \"FEDORA-2021-c5a9c85737\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202312-12\", \"name\": \"GLSA-202312-12\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-12-23T10:06:26.199Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-41133\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-04T02:59:31.388Z\", \"dateReserved\": \"2021-09-15T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2021-10-08T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
alsa-2021:4042
Vulnerability from osv_almalinux
Published
2021-11-01 13:11
Modified
2021-11-12 10:20
Summary
Important: flatpak security update
Details
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
Security Fix(es):
- flatpak: Sandbox bypass via recent VFS-manipulating syscalls (CVE-2021-41133)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "flatpak"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.5-4.el8_4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "flatpak-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.5-4.el8_4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "flatpak-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.5-4.el8_4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "flatpak-session-helper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.5-4.el8_4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es):\n\n* flatpak: Sandbox bypass via recent VFS-manipulating syscalls (CVE-2021-41133)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2021:4042",
"modified": "2021-11-12T10:20:56Z",
"published": "2021-11-01T13:11:58Z",
"references": [
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2021-41133"
}
],
"related": [
"CVE-2021-41133"
],
"summary": "Important: flatpak security update"
}
Title
Уязвимость инструмента для управления приложениями и средами Flatpak, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Description
Уязвимость инструмента для управления приложениями и средами Flatpak связана с отсутствием блокировки в seccomp-фильтре связанных с mount системных вызовов. Эксплуатация уязвимости может позволить нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity
Vendor
Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», АО «НТЦ ИТ РОСА», АО "НППКТ"
Software Name
Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Flatpak, РОСА Кобальт (запись в едином реестре российских программ №1999), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
9 (Debian GNU/Linux), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), до 1.8.2 (Flatpak), от 1.10.0 до 1.10.4 (Flatpak), от 1.11.1 до 1.12.1 (Flatpak), 7.9 (РОСА Кобальт), до 2.9 (ОСОН ОСнова Оnyx)
Possible Mitigations
Для Flatpak:
использование рекомендаций производителя: https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Для ОС Debian:
использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2021-41133
Для Astra Linux:
использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения flatpak до версии 1.10.7-0+deb11u1~bpo10+1
Для ОС РОСА "КОБАЛЬТ": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487
Для ОС РОСА "КОБАЛЬТ": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487
Reference
https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca
https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48
https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
https://nvd.nist.gov/vuln/detail/CVE-2021-41133
https://security-tracker.debian.org/tracker/CVE-2021-41133
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.9/
https://abf.rosa.ru/advisories/ROSA-SA-2024-2487
https://abf.rosa.ru/advisories/ROSA-SA-2024-2487
CWE
CWE-20
{
"CVSS 2.0": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"CVSS 3.0": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), \u0434\u043e 1.8.2 (Flatpak), \u043e\u0442 1.10.0 \u0434\u043e 1.10.4 (Flatpak), \u043e\u0442 1.11.1 \u0434\u043e 1.12.1 (Flatpak), 7.9 (\u0420\u041e\u0421\u0410 \u041a\u043e\u0431\u0430\u043b\u044c\u0442), \u0434\u043e 2.9 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Flatpak:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q\n\n\u0414\u043b\u044f \u041e\u0421 Debian:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://security-tracker.debian.org/tracker/CVE-2021-41133\n\n\u0414\u043b\u044f Astra Linux:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f flatpak \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.10.7-0+deb11u1~bpo10+1\n\n\u0414\u043b\u044f \u041e\u0421 \u0420\u041e\u0421\u0410 \"\u041a\u041e\u0411\u0410\u041b\u042c\u0422\": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487\n\n\u0414\u043b\u044f \u041e\u0421 \u0420\u041e\u0421\u0410 \"\u041a\u041e\u0411\u0410\u041b\u042c\u0422\": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.09.2021",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.03.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "17.01.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-00259",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-41133",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Flatpak, \u0420\u041e\u0421\u0410 \u041a\u043e\u0431\u0430\u043b\u044c\u0442 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161999), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u041a\u043e\u0431\u0430\u043b\u044c\u0442 7.9 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161999), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.9 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0438 \u0441\u0440\u0435\u0434\u0430\u043c\u0438 Flatpak, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0438 \u0441\u0440\u0435\u0434\u0430\u043c\u0438 Flatpak \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435\u043c \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0438 \u0432 seccomp-\u0444\u0438\u043b\u044c\u0442\u0440\u0435 \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0445 \u0441 mount \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0432\u044b\u0437\u043e\u0432\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999\nhttps://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca\nhttps://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf\nhttps://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36\nhttps://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48\nhttps://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f\nhttps://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330\nhttps://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf\nhttps://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41133\nhttps://security-tracker.debian.org/tracker/CVE-2021-41133\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.9/\nhttps://abf.rosa.ru/advisories/ROSA-SA-2024-2487\nhttps://abf.rosa.ru/advisories/ROSA-SA-2024-2487",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,6)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)"
}
Title
Flatpak输入验证错误漏洞
Description
Flatpak是一套用于Linux桌面应用计算机环境的应用程序虚拟化系统。
Flatpak 1.12.0和1.10.4之前版本存在输入验证错误漏洞,该漏洞源于可直接访问AF_UNIX套接字(如Wayland、Pipewire或Pipewire pulse使用的套接字)的Flatpak应用程序可以欺骗门户和其他主机操作系统服务,使其将Flatpak应用程序视为普通的、非沙盒主机操作系统进程。目前没有详细漏洞细节提供。
Severity
中
Patch Name
Flatpak输入验证错误漏洞的补丁
Patch Description
Flatpak是一套用于Linux桌面应用计算机环境的应用程序虚拟化系统。
Flatpak 1.12.0和1.10.4之前版本存在输入验证错误漏洞,该漏洞源于可直接访问AF_UNIX套接字(如Wayland、Pipewire或Pipewire pulse使用的套接字)的Flatpak应用程序可以欺骗门户和其他主机操作系统服务,使其将Flatpak应用程序视为普通的、非沙盒主机操作系统进程。目前没有详细漏洞细节提供。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Reference
https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
Impacted products
| Name | ['Flatpak Flatpak <1.12.0', 'Flatpak Flatpak <1.10.4'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-41133"
}
},
"description": "Flatpak\u662f\u4e00\u5957\u7528\u4e8eLinux\u684c\u9762\u5e94\u7528\u8ba1\u7b97\u673a\u73af\u5883\u7684\u5e94\u7528\u7a0b\u5e8f\u865a\u62df\u5316\u7cfb\u7edf\u3002\n\nFlatpak 1.12.0\u548c1.10.4\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53ef\u76f4\u63a5\u8bbf\u95eeAF_UNIX\u5957\u63a5\u5b57\uff08\u5982Wayland\u3001Pipewire\u6216Pipewire pulse\u4f7f\u7528\u7684\u5957\u63a5\u5b57\uff09\u7684Flatpak\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u6b3a\u9a97\u95e8\u6237\u548c\u5176\u4ed6\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u670d\u52a1\uff0c\u4f7f\u5176\u5c06Flatpak\u5e94\u7528\u7a0b\u5e8f\u89c6\u4e3a\u666e\u901a\u7684\u3001\u975e\u6c99\u76d2\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u8fdb\u7a0b\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-103405",
"openTime": "2021-12-30",
"patchDescription": "Flatpak\u662f\u4e00\u5957\u7528\u4e8eLinux\u684c\u9762\u5e94\u7528\u8ba1\u7b97\u673a\u73af\u5883\u7684\u5e94\u7528\u7a0b\u5e8f\u865a\u62df\u5316\u7cfb\u7edf\u3002\r\n\r\nFlatpak 1.12.0\u548c1.10.4\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53ef\u76f4\u63a5\u8bbf\u95eeAF_UNIX\u5957\u63a5\u5b57\uff08\u5982Wayland\u3001Pipewire\u6216Pipewire pulse\u4f7f\u7528\u7684\u5957\u63a5\u5b57\uff09\u7684Flatpak\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u6b3a\u9a97\u95e8\u6237\u548c\u5176\u4ed6\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u670d\u52a1\uff0c\u4f7f\u5176\u5c06Flatpak\u5e94\u7528\u7a0b\u5e8f\u89c6\u4e3a\u666e\u901a\u7684\u3001\u975e\u6c99\u76d2\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u8fdb\u7a0b\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Flatpak\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Flatpak Flatpak \u003c1.12.0",
"Flatpak Flatpak \u003c1.10.4"
]
},
"referenceLink": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999",
"serverity": "\u4e2d",
"submitTime": "2021-10-11",
"title": "Flatpak\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}
FKIE_CVE-2021-41133
Vulnerability from fkie_nvd - Published: 2021-10-08 14:15 - Updated: 2024-11-21 06:25
Severity
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| flatpak | flatpak | * | |
| flatpak | flatpak | * | |
| flatpak | flatpak | * | |
| debian | debian_linux | 11.0 | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69BAD0B1-DDB3-46FE-8AEB-BF7203829E07",
"versionEndExcluding": "1.8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8521E68-800E-4633-9A6D-2CDDA84B77F1",
"versionEndExcluding": "1.10.4",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00DC4C26-B1FD-4244-85CD-8507B0BFD961",
"versionEndExcluding": "1.12.1",
"versionStartIncluding": "1.11.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version."
},
{
"lang": "es",
"value": "Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En versiones anteriores a 1.10.4 y 1.12.0, las aplicaciones Flatpak con acceso directo a los sockets AF_UNIX, como los usados por Wayland, Pipewire o pipewire-pulse, pueden enga\u00f1ar a los portales y otros servicios del sistema operativo anfitri\u00f3n para que traten la aplicaci\u00f3n Flatpak como si fuera un proceso ordinario del Sistema Operativo anfitri\u00f3n sin sandbox. Pueden hacer esto al manipular el VFS usando recientes llamadas al sistema relacionadas con el montaje que no est\u00e1n bloqueadas por el filtro seccomp de Flatpak, para sustituir un \"/.flatpak-info\" dise\u00f1ado o hacer que ese archivo desaparezca por completo. Las aplicaciones Flatpak que act\u00faan como clientes de sockets AF_UNIX como los usados por Wayland, Pipewire o pipewire-pulse pueden escalar los privilegios que los servicios correspondientes creer\u00e1n que presenta la aplicaci\u00f3n Flatpak. Ten en cuenta que los protocolos que operan completamente sobre el bus de sesi\u00f3n D-Bus (bus de usuario), el bus de sistema o el bus de accesibilidad no est\u00e1n afectados por esto. Esto es debido al uso de un proceso proxy \"xdg-dbus-proxy\", cuyo VFS no puede ser manipulado por la app Flatpak, cuando interact\u00faa con estos buses. Se presentan parches para las versiones 1.10.4 y 1.12.0, y en el momento de la publicaci\u00f3n, se est\u00e1 planeando un parche para la versi\u00f3n 1.8.2. No se presentan soluciones aparte de la actualizaci\u00f3n a una versi\u00f3n parcheada"
}
],
"id": "CVE-2021-41133",
"lastModified": "2024-11-21T06:25:33.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-08T14:15:08.723",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"
},
{
"source": "security-advisories@github.com",
"url": "https://security.gentoo.org/glsa/202312-12"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202312-12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4984"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2021-41133
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-41133",
"description": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.",
"id": "GSD-2021-41133",
"references": [
"https://www.suse.com/security/cve/CVE-2021-41133.html",
"https://www.debian.org/security/2021/dsa-4984",
"https://access.redhat.com/errata/RHSA-2021:4107",
"https://access.redhat.com/errata/RHSA-2021:4106",
"https://access.redhat.com/errata/RHSA-2021:4044",
"https://access.redhat.com/errata/RHSA-2021:4042",
"https://ubuntu.com/security/CVE-2021-41133",
"https://advisories.mageia.org/CVE-2021-41133.html",
"https://security.archlinux.org/CVE-2021-41133",
"https://linux.oracle.com/cve/CVE-2021-41133.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-41133"
],
"details": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.",
"id": "GSD-2021-41133",
"modified": "2023-12-13T01:23:27.200341Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41133",
"STATE": "PUBLIC",
"TITLE": "Sandbox bypass via recent VFS-manipulating syscalls"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flatpak",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.8.0, \u003c= 1.8.2"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.4"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.12.0"
}
]
}
}
]
},
"vendor_name": "flatpak"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q",
"refsource": "CONFIRM",
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"name": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"
},
{
"name": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"
},
{
"name": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"
},
{
"name": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"
},
{
"name": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"
},
{
"name": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"
},
{
"name": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"
},
{
"name": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf",
"refsource": "MISC",
"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"
},
{
"name": "FEDORA-2021-4b201d15e6",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"
},
{
"name": "DSA-4984",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4984"
},
{
"name": "[oss-security] 20211026 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9"
},
{
"name": "FEDORA-2021-c5a9c85737",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"
},
{
"name": "GLSA-202312-12",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202312-12"
}
]
},
"source": {
"advisory": "GHSA-67h7-w3jq-vh4q",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69BAD0B1-DDB3-46FE-8AEB-BF7203829E07",
"versionEndExcluding": "1.8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8521E68-800E-4633-9A6D-2CDDA84B77F1",
"versionEndExcluding": "1.10.4",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00DC4C26-B1FD-4244-85CD-8507B0BFD961",
"versionEndExcluding": "1.12.1",
"versionStartIncluding": "1.11.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version."
},
{
"lang": "es",
"value": "Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En versiones anteriores a 1.10.4 y 1.12.0, las aplicaciones Flatpak con acceso directo a los sockets AF_UNIX, como los usados por Wayland, Pipewire o pipewire-pulse, pueden enga\u00f1ar a los portales y otros servicios del sistema operativo anfitri\u00f3n para que traten la aplicaci\u00f3n Flatpak como si fuera un proceso ordinario del Sistema Operativo anfitri\u00f3n sin sandbox. Pueden hacer esto al manipular el VFS usando recientes llamadas al sistema relacionadas con el montaje que no est\u00e1n bloqueadas por el filtro seccomp de Flatpak, para sustituir un \"/.flatpak-info\" dise\u00f1ado o hacer que ese archivo desaparezca por completo. Las aplicaciones Flatpak que act\u00faan como clientes de sockets AF_UNIX como los usados por Wayland, Pipewire o pipewire-pulse pueden escalar los privilegios que los servicios correspondientes creer\u00e1n que presenta la aplicaci\u00f3n Flatpak. Ten en cuenta que los protocolos que operan completamente sobre el bus de sesi\u00f3n D-Bus (bus de usuario), el bus de sistema o el bus de accesibilidad no est\u00e1n afectados por esto. Esto es debido al uso de un proceso proxy \"xdg-dbus-proxy\", cuyo VFS no puede ser manipulado por la app Flatpak, cuando interact\u00faa con estos buses. Se presentan parches para las versiones 1.10.4 y 1.12.0, y en el momento de la publicaci\u00f3n, se est\u00e1 planeando un parche para la versi\u00f3n 1.8.2. No se presentan soluciones aparte de la actualizaci\u00f3n a una versi\u00f3n parcheada"
}
],
"id": "CVE-2021-41133",
"lastModified": "2023-12-23T10:15:08.590",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-10-08T14:15:08.723",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/"
},
{
"source": "security-advisories@github.com",
"url": "https://security.gentoo.org/glsa/202312-12"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4984"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
OPENSUSE-SU-2021:1400-1
Vulnerability from csaf_opensuse - Published: 2021-10-31 14:52 - Updated: 2021-10-31 14:52Summary
Security update for flatpak
Severity
Important
Notes
Title of the patch: Security update for flatpak
Description of the patch: This update for flatpak fixes the following issues:
- Update to version 1.10.5:
- CVE-2021-41133: Fixed a bug that could lead to sandbox bypass via recent VFS-manipulating syscalls. (bsc#1191507)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patchnames: openSUSE-2021-1400
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:flatpak-1.10.5-lp152.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:flatpak-devel-1.10.5-lp152.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:libflatpak0-1.10.5-lp152.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:system-user-flatpak-1.10.5-lp152.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for flatpak",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for flatpak fixes the following issues:\n\n- Update to version 1.10.5:\n- CVE-2021-41133: Fixed a bug that could lead to sandbox bypass via recent VFS-manipulating syscalls. (bsc#1191507)\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-1400",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1400-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:1400-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O63MYUSWLBDBHWT5CBFN7YN5WUMCT6NS/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:1400-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O63MYUSWLBDBHWT5CBFN7YN5WUMCT6NS/"
},
{
"category": "self",
"summary": "SUSE Bug 1191507",
"url": "https://bugzilla.suse.com/1191507"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41133 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41133/"
}
],
"title": "Security update for flatpak",
"tracking": {
"current_release_date": "2021-10-31T14:52:37Z",
"generator": {
"date": "2021-10-31T14:52:37Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:1400-1",
"initial_release_date": "2021-10-31T14:52:37Z",
"revision_history": [
{
"date": "2021-10-31T14:52:37Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.10.5-lp152.3.9.1.x86_64",
"product": {
"name": "flatpak-1.10.5-lp152.3.9.1.x86_64",
"product_id": "flatpak-1.10.5-lp152.3.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.10.5-lp152.3.9.1.x86_64",
"product": {
"name": "flatpak-devel-1.10.5-lp152.3.9.1.x86_64",
"product_id": "flatpak-devel-1.10.5-lp152.3.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64",
"product": {
"name": "flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64",
"product_id": "flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.10.5-lp152.3.9.1.x86_64",
"product": {
"name": "libflatpak0-1.10.5-lp152.3.9.1.x86_64",
"product_id": "libflatpak0-1.10.5-lp152.3.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.10.5-lp152.3.9.1.x86_64",
"product": {
"name": "system-user-flatpak-1.10.5-lp152.3.9.1.x86_64",
"product_id": "system-user-flatpak-1.10.5-lp152.3.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64",
"product_id": "typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.10.5-lp152.3.9.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:flatpak-1.10.5-lp152.3.9.1.x86_64"
},
"product_reference": "flatpak-1.10.5-lp152.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.10.5-lp152.3.9.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:flatpak-devel-1.10.5-lp152.3.9.1.x86_64"
},
"product_reference": "flatpak-devel-1.10.5-lp152.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64"
},
"product_reference": "flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.10.5-lp152.3.9.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libflatpak0-1.10.5-lp152.3.9.1.x86_64"
},
"product_reference": "libflatpak0-1.10.5-lp152.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.10.5-lp152.3.9.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:system-user-flatpak-1.10.5-lp152.3.9.1.x86_64"
},
"product_reference": "system-user-flatpak-1.10.5-lp152.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41133"
}
],
"notes": [
{
"category": "general",
"text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:flatpak-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:flatpak-devel-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:libflatpak0-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:system-user-flatpak-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41133",
"url": "https://www.suse.com/security/cve/CVE-2021-41133"
},
{
"category": "external",
"summary": "SUSE Bug 1191507 for CVE-2021-41133",
"url": "https://bugzilla.suse.com/1191507"
},
{
"category": "external",
"summary": "SUSE Bug 1191937 for CVE-2021-41133",
"url": "https://bugzilla.suse.com/1191937"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:flatpak-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:flatpak-devel-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:libflatpak0-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:system-user-flatpak-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:flatpak-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:flatpak-devel-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:flatpak-zsh-completion-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:libflatpak0-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:system-user-flatpak-1.10.5-lp152.3.9.1.x86_64",
"openSUSE Leap 15.2:typelib-1_0-Flatpak-1_0-1.10.5-lp152.3.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-31T14:52:37Z",
"details": "important"
}
],
"title": "CVE-2021-41133"
}
]
}
OPENSUSE-SU-2021:3472-1
Vulnerability from csaf_opensuse - Published: 2021-10-20 06:40 - Updated: 2021-10-20 06:40Summary
Security update for flatpak
Severity
Important
Notes
Title of the patch: Security update for flatpak
Description of the patch: This update for flatpak fixes the following issues:
- Update to version 1.10.5:
- CVE-2021-41133: Fixed a bug that could lead to sandbox bypass via recent VFS-manipulating syscalls. (bsc#1191507)
Patchnames: openSUSE-SLE-15.3-2021-3472
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for flatpak",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for flatpak fixes the following issues:\n\n- Update to version 1.10.5:\n- CVE-2021-41133: Fixed a bug that could lead to sandbox bypass via recent VFS-manipulating syscalls. (bsc#1191507)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2021-3472",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_3472-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:3472-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QXL4FA3WICXGFNYWHOG3GKOXZERBN6TL/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:3472-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QXL4FA3WICXGFNYWHOG3GKOXZERBN6TL/"
},
{
"category": "self",
"summary": "SUSE Bug 1191507",
"url": "https://bugzilla.suse.com/1191507"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41133 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41133/"
}
],
"title": "Security update for flatpak",
"tracking": {
"current_release_date": "2021-10-20T06:40:50Z",
"generator": {
"date": "2021-10-20T06:40:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:3472-1",
"initial_release_date": "2021-10-20T06:40:50Z",
"revision_history": [
{
"date": "2021-10-20T06:40:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.10.5-4.9.1.aarch64",
"product": {
"name": "flatpak-1.10.5-4.9.1.aarch64",
"product_id": "flatpak-1.10.5-4.9.1.aarch64"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.10.5-4.9.1.aarch64",
"product": {
"name": "flatpak-devel-1.10.5-4.9.1.aarch64",
"product_id": "flatpak-devel-1.10.5-4.9.1.aarch64"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.10.5-4.9.1.aarch64",
"product": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.aarch64",
"product_id": "flatpak-zsh-completion-1.10.5-4.9.1.aarch64"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.10.5-4.9.1.aarch64",
"product": {
"name": "libflatpak0-1.10.5-4.9.1.aarch64",
"product_id": "libflatpak0-1.10.5-4.9.1.aarch64"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.10.5-4.9.1.aarch64",
"product": {
"name": "system-user-flatpak-1.10.5-4.9.1.aarch64",
"product_id": "system-user-flatpak-1.10.5-4.9.1.aarch64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64",
"product_id": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.10.5-4.9.1.ppc64le",
"product": {
"name": "flatpak-1.10.5-4.9.1.ppc64le",
"product_id": "flatpak-1.10.5-4.9.1.ppc64le"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.10.5-4.9.1.ppc64le",
"product": {
"name": "flatpak-devel-1.10.5-4.9.1.ppc64le",
"product_id": "flatpak-devel-1.10.5-4.9.1.ppc64le"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.10.5-4.9.1.ppc64le",
"product": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.ppc64le",
"product_id": "flatpak-zsh-completion-1.10.5-4.9.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.10.5-4.9.1.ppc64le",
"product": {
"name": "libflatpak0-1.10.5-4.9.1.ppc64le",
"product_id": "libflatpak0-1.10.5-4.9.1.ppc64le"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.10.5-4.9.1.ppc64le",
"product": {
"name": "system-user-flatpak-1.10.5-4.9.1.ppc64le",
"product_id": "system-user-flatpak-1.10.5-4.9.1.ppc64le"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le",
"product_id": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.10.5-4.9.1.s390x",
"product": {
"name": "flatpak-1.10.5-4.9.1.s390x",
"product_id": "flatpak-1.10.5-4.9.1.s390x"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.10.5-4.9.1.s390x",
"product": {
"name": "flatpak-devel-1.10.5-4.9.1.s390x",
"product_id": "flatpak-devel-1.10.5-4.9.1.s390x"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.10.5-4.9.1.s390x",
"product": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.s390x",
"product_id": "flatpak-zsh-completion-1.10.5-4.9.1.s390x"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.10.5-4.9.1.s390x",
"product": {
"name": "libflatpak0-1.10.5-4.9.1.s390x",
"product_id": "libflatpak0-1.10.5-4.9.1.s390x"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.10.5-4.9.1.s390x",
"product": {
"name": "system-user-flatpak-1.10.5-4.9.1.s390x",
"product_id": "system-user-flatpak-1.10.5-4.9.1.s390x"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x",
"product_id": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.10.5-4.9.1.x86_64",
"product": {
"name": "flatpak-1.10.5-4.9.1.x86_64",
"product_id": "flatpak-1.10.5-4.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.10.5-4.9.1.x86_64",
"product": {
"name": "flatpak-devel-1.10.5-4.9.1.x86_64",
"product_id": "flatpak-devel-1.10.5-4.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.10.5-4.9.1.x86_64",
"product": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.x86_64",
"product_id": "flatpak-zsh-completion-1.10.5-4.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.10.5-4.9.1.x86_64",
"product": {
"name": "libflatpak0-1.10.5-4.9.1.x86_64",
"product_id": "libflatpak0-1.10.5-4.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.10.5-4.9.1.x86_64",
"product": {
"name": "system-user-flatpak-1.10.5-4.9.1.x86_64",
"product_id": "system-user-flatpak-1.10.5-4.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64",
"product_id": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.10.5-4.9.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.aarch64"
},
"product_reference": "flatpak-1.10.5-4.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.10.5-4.9.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.ppc64le"
},
"product_reference": "flatpak-1.10.5-4.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.10.5-4.9.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.s390x"
},
"product_reference": "flatpak-1.10.5-4.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.10.5-4.9.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.x86_64"
},
"product_reference": "flatpak-1.10.5-4.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.10.5-4.9.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.aarch64"
},
"product_reference": "flatpak-devel-1.10.5-4.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.10.5-4.9.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.ppc64le"
},
"product_reference": "flatpak-devel-1.10.5-4.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.10.5-4.9.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.s390x"
},
"product_reference": "flatpak-devel-1.10.5-4.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.10.5-4.9.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.x86_64"
},
"product_reference": "flatpak-devel-1.10.5-4.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.aarch64"
},
"product_reference": "flatpak-zsh-completion-1.10.5-4.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.ppc64le"
},
"product_reference": "flatpak-zsh-completion-1.10.5-4.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.s390x"
},
"product_reference": "flatpak-zsh-completion-1.10.5-4.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.10.5-4.9.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.x86_64"
},
"product_reference": "flatpak-zsh-completion-1.10.5-4.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.10.5-4.9.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.aarch64"
},
"product_reference": "libflatpak0-1.10.5-4.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.10.5-4.9.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.ppc64le"
},
"product_reference": "libflatpak0-1.10.5-4.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.10.5-4.9.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.s390x"
},
"product_reference": "libflatpak0-1.10.5-4.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.10.5-4.9.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.x86_64"
},
"product_reference": "libflatpak0-1.10.5-4.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.10.5-4.9.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.aarch64"
},
"product_reference": "system-user-flatpak-1.10.5-4.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.10.5-4.9.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.ppc64le"
},
"product_reference": "system-user-flatpak-1.10.5-4.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.10.5-4.9.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.s390x"
},
"product_reference": "system-user-flatpak-1.10.5-4.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.10.5-4.9.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.x86_64"
},
"product_reference": "system-user-flatpak-1.10.5-4.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41133"
}
],
"notes": [
{
"category": "general",
"text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41133",
"url": "https://www.suse.com/security/cve/CVE-2021-41133"
},
{
"category": "external",
"summary": "SUSE Bug 1191507 for CVE-2021-41133",
"url": "https://bugzilla.suse.com/1191507"
},
{
"category": "external",
"summary": "SUSE Bug 1191937 for CVE-2021-41133",
"url": "https://bugzilla.suse.com/1191937"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-devel-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:flatpak-zsh-completion-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:libflatpak0-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:system-user-flatpak-1.10.5-4.9.1.x86_64",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.aarch64",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.ppc64le",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.s390x",
"openSUSE Leap 15.3:typelib-1_0-Flatpak-1_0-1.10.5-4.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:40:50Z",
"details": "important"
}
],
"title": "CVE-2021-41133"
}
]
}
OPENSUSE-SU-2024:11574-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
flatpak-1.12.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: flatpak-1.12.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the flatpak-1.12.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11574
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:flatpak-1.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-1.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-1.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-1.12.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "flatpak-1.12.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the flatpak-1.12.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11574",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11574-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41133 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41133/"
}
],
"title": "flatpak-1.12.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11574-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.12.1-1.1.aarch64",
"product": {
"name": "flatpak-1.12.1-1.1.aarch64",
"product_id": "flatpak-1.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.12.1-1.1.aarch64",
"product": {
"name": "flatpak-devel-1.12.1-1.1.aarch64",
"product_id": "flatpak-devel-1.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.12.1-1.1.aarch64",
"product": {
"name": "flatpak-zsh-completion-1.12.1-1.1.aarch64",
"product_id": "flatpak-zsh-completion-1.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.12.1-1.1.aarch64",
"product": {
"name": "libflatpak0-1.12.1-1.1.aarch64",
"product_id": "libflatpak0-1.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.12.1-1.1.aarch64",
"product": {
"name": "system-user-flatpak-1.12.1-1.1.aarch64",
"product_id": "system-user-flatpak-1.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64",
"product_id": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.12.1-1.1.ppc64le",
"product": {
"name": "flatpak-1.12.1-1.1.ppc64le",
"product_id": "flatpak-1.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.12.1-1.1.ppc64le",
"product": {
"name": "flatpak-devel-1.12.1-1.1.ppc64le",
"product_id": "flatpak-devel-1.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.12.1-1.1.ppc64le",
"product": {
"name": "flatpak-zsh-completion-1.12.1-1.1.ppc64le",
"product_id": "flatpak-zsh-completion-1.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.12.1-1.1.ppc64le",
"product": {
"name": "libflatpak0-1.12.1-1.1.ppc64le",
"product_id": "libflatpak0-1.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.12.1-1.1.ppc64le",
"product": {
"name": "system-user-flatpak-1.12.1-1.1.ppc64le",
"product_id": "system-user-flatpak-1.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le",
"product_id": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.12.1-1.1.s390x",
"product": {
"name": "flatpak-1.12.1-1.1.s390x",
"product_id": "flatpak-1.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.12.1-1.1.s390x",
"product": {
"name": "flatpak-devel-1.12.1-1.1.s390x",
"product_id": "flatpak-devel-1.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.12.1-1.1.s390x",
"product": {
"name": "flatpak-zsh-completion-1.12.1-1.1.s390x",
"product_id": "flatpak-zsh-completion-1.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.12.1-1.1.s390x",
"product": {
"name": "libflatpak0-1.12.1-1.1.s390x",
"product_id": "libflatpak0-1.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.12.1-1.1.s390x",
"product": {
"name": "system-user-flatpak-1.12.1-1.1.s390x",
"product_id": "system-user-flatpak-1.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x",
"product_id": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-1.12.1-1.1.x86_64",
"product": {
"name": "flatpak-1.12.1-1.1.x86_64",
"product_id": "flatpak-1.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-devel-1.12.1-1.1.x86_64",
"product": {
"name": "flatpak-devel-1.12.1-1.1.x86_64",
"product_id": "flatpak-devel-1.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "flatpak-zsh-completion-1.12.1-1.1.x86_64",
"product": {
"name": "flatpak-zsh-completion-1.12.1-1.1.x86_64",
"product_id": "flatpak-zsh-completion-1.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libflatpak0-1.12.1-1.1.x86_64",
"product": {
"name": "libflatpak0-1.12.1-1.1.x86_64",
"product_id": "libflatpak0-1.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "system-user-flatpak-1.12.1-1.1.x86_64",
"product": {
"name": "system-user-flatpak-1.12.1-1.1.x86_64",
"product_id": "system-user-flatpak-1.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64",
"product": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64",
"product_id": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-1.12.1-1.1.aarch64"
},
"product_reference": "flatpak-1.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-1.12.1-1.1.ppc64le"
},
"product_reference": "flatpak-1.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-1.12.1-1.1.s390x"
},
"product_reference": "flatpak-1.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-1.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-1.12.1-1.1.x86_64"
},
"product_reference": "flatpak-1.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.aarch64"
},
"product_reference": "flatpak-devel-1.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.ppc64le"
},
"product_reference": "flatpak-devel-1.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.s390x"
},
"product_reference": "flatpak-devel-1.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-devel-1.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.x86_64"
},
"product_reference": "flatpak-devel-1.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.aarch64"
},
"product_reference": "flatpak-zsh-completion-1.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.ppc64le"
},
"product_reference": "flatpak-zsh-completion-1.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.s390x"
},
"product_reference": "flatpak-zsh-completion-1.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-zsh-completion-1.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.x86_64"
},
"product_reference": "flatpak-zsh-completion-1.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.aarch64"
},
"product_reference": "libflatpak0-1.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.ppc64le"
},
"product_reference": "libflatpak0-1.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.s390x"
},
"product_reference": "libflatpak0-1.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libflatpak0-1.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.x86_64"
},
"product_reference": "libflatpak0-1.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.aarch64"
},
"product_reference": "system-user-flatpak-1.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.ppc64le"
},
"product_reference": "system-user-flatpak-1.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.s390x"
},
"product_reference": "system-user-flatpak-1.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "system-user-flatpak-1.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.x86_64"
},
"product_reference": "system-user-flatpak-1.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64"
},
"product_reference": "typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41133"
}
],
"notes": [
{
"category": "general",
"text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak\u0027s denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41133",
"url": "https://www.suse.com/security/cve/CVE-2021-41133"
},
{
"category": "external",
"summary": "SUSE Bug 1191507 for CVE-2021-41133",
"url": "https://bugzilla.suse.com/1191507"
},
{
"category": "external",
"summary": "SUSE Bug 1191937 for CVE-2021-41133",
"url": "https://bugzilla.suse.com/1191937"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-devel-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:flatpak-zsh-completion-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:libflatpak0-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:system-user-flatpak-1.12.1-1.1.x86_64",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.aarch64",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.s390x",
"openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.12.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-41133"
}
]
}
RHSA-2021:4042
Vulnerability from csaf_redhat - Published: 2021-11-01 13:42 - Updated: 2025-11-21 18:25Summary
Red Hat Security Advisory: flatpak security update
Severity
Important
Notes
Topic: An update for flatpak is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
Security Fix(es):
* flatpak: Sandbox bypass via recent VFS-manipulating syscalls (CVE-2021-41133)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the flatpak package. It is susceptible to a software flaw that can deceive portals and other host-OS services into treating the flatpak app as an ordinary, non-sandboxed host-OS process. This flaw allows the escalation of privileges that the corresponding services presume the flatpak app has. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.8 (High)
Affected products
Fixed
40 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-selinux-0:1.8.5-4.el8_4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for flatpak is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es):\n\n* flatpak: Sandbox bypass via recent VFS-manipulating syscalls (CVE-2021-41133)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4042",
"url": "https://access.redhat.com/errata/RHSA-2021:4042"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q",
"url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q"
},
{
"category": "external",
"summary": "2012245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2012245"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4042.json"
}
],
"title": "Red Hat Security Advisory: flatpak security update",
"tracking": {
"current_release_date": "2025-11-21T18:25:57+00:00",
"generator": {
"date": "2025-11-21T18:25:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2021:4042",
"initial_release_date": "2021-11-01T13:42:35+00:00",
"revision_history": [
{
"date": "2021-11-01T13:42:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-11-01T13:42:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:25:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-0:1.8.5-4.el8_4.src",
"product": {
"name": "flatpak-0:1.8.5-4.el8_4.src",
"product_id": "flatpak-0:1.8.5-4.el8_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak@1.8.5-4.el8_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-4.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_id": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-4.el8_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-4.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_id": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-4.el8_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-4.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_id": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-4.el8_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-libs-0:1.8.5-4.el8_4.i686",
"product": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.i686",
"product_id": "flatpak-libs-0:1.8.5-4.el8_4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-4.el8_4?arch=i686"
}
}
},
{
"category": "product_version",
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"product": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"product_id": "flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-4.el8_4?arch=i686"
}
}
},
{
"category": "product_version",
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"product": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"product_id": "flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-4.el8_4?arch=i686"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"product": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"product_id": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-4.el8_4?arch=i686"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"product": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"product_id": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-4.el8_4?arch=i686"
}
}
},
{
"category": "product_version",
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"product": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"product_id": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-4.el8_4?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-libs-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debugsource@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-debuginfo@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-libs-debuginfo@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-session-helper-debuginfo@1.8.5-4.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"product": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_id": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-tests-debuginfo@1.8.5-4.el8_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"product": {
"name": "flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"product_id": "flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/flatpak-selinux@1.8.5-4.el8_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-0:1.8.5-4.el8_4.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.src"
},
"product_reference": "flatpak-0:1.8.5-4.el8_4.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.i686"
},
"product_reference": "flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.i686"
},
"product_reference": "flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-debugsource-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.i686"
},
"product_reference": "flatpak-libs-0:1.8.5-4.el8_4.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-libs-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686"
},
"product_reference": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-selinux-0:1.8.5-4.el8_4.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-selinux-0:1.8.5-4.el8_4.noarch"
},
"product_reference": "flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686"
},
"product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64"
},
"product_reference": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686"
},
"product_reference": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le"
},
"product_reference": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x"
},
"product_reference": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64"
},
"product_reference": "flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41133",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-10-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2012245"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the flatpak package. It is susceptible to a software flaw that can deceive portals and other host-OS services into treating the flatpak app as an ordinary, non-sandboxed host-OS process. This flaw allows the escalation of privileges that the corresponding services presume the flatpak app has. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "flatpak: Sandbox bypass via recent VFS-manipulating syscalls",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.src",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-41133"
},
{
"category": "external",
"summary": "RHBZ#2012245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2012245"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-41133",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41133"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41133",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41133"
}
],
"release_date": "2021-10-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-01T13:42:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.src",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.src",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-debugsource-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-libs-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-selinux-0:1.8.5-4.el8_4.noarch",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-session-helper-debuginfo-0:1.8.5-4.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.i686",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:flatpak-tests-debuginfo-0:1.8.5-4.el8_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "flatpak: Sandbox bypass via recent VFS-manipulating syscalls"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…