What is CVE-2022-21682?

CVE-2022-21682 is a path traversal vulnerability in Flatpak, a Linux application sandboxing and distribution framework.

Which versions of Flatpak are affected by CVE-2022-21682?

Versions of Flatpak prior to 1.12.3 and 1.10.6 are affected by CVE-2022-21682.

What is the severity of CVE-2022-21682?

The severity of CVE-2022-21682 is high, with a CVSS score of 6.5.

How can I fix CVE-2022-21682?

To fix CVE-2022-21682, you should update Flatpak to version 1.12.3 or 1.10.6 or later.

Where can I find more information about CVE-2022-21682?

More information about CVE-2022-21682 can be found in the Flatpak security advisories on GitHub.

Vulnerability/
CVE-2022-21682

high

7.7

CWE

13/1/2022

23/12/2023

CVE-2022-21682: flatpak-builder can access files outside the build directory.

First published: Thu Jan 13 2022(Updated: )

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Flatpak Flatpak	<1.10.7
Flatpak Flatpak	>=1.11.1<1.12.4
Flatpak Flatpak-builder	<1.2.2
Fedoraproject Fedora	=35
Redhat Enterprise Linux	=8.0
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0
debian/flatpak	<=1.2.5-0+deb10u4	1.10.8-0+deb11u1 1.10.7-0+deb11u1 1.14.4-1 1.14.5-1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-21682?
CVE-2022-21682 is a path traversal vulnerability in Flatpak, a Linux application sandboxing and distribution framework.
Which versions of Flatpak are affected by CVE-2022-21682?
Versions of Flatpak prior to 1.12.3 and 1.10.6 are affected by CVE-2022-21682.
What is the severity of CVE-2022-21682?
The severity of CVE-2022-21682 is high, with a CVSS score of 6.5.
How can I fix CVE-2022-21682?
To fix CVE-2022-21682, you should update Flatpak to version 1.12.3 or 1.10.6 or later.
Where can I find more information about CVE-2022-21682?
More information about CVE-2022-21682 can be found in the Flatpak security advisories on GitHub.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
agent/weakness
collector/mitre-cve
collector/nvd-api
source/NVD
agent/software-canonical-lookup
collector/nvd-index
collector/security-tracker-debian
vendor/flatpak
canonical/flatpak flatpak
version/flatpak flatpak/1.11.1
canonical/flatpak flatpak-builder
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/35
vendor/redhat
canonical/redhat enterprise linux
version/redhat enterprise linux/8.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
version/debian debian linux/11.0
package-manager/debian