CVE-2017-9780
Summary
| CVE | CVE-2017-9780 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-06-21 15:29:00 UTC |
| Updated | 2019-10-03 00:03:00 UTC |
| Description | In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root. |
Risk And Classification
Problem Types: CWE-732
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Flatpak | Flatpak | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| handling suid/world-writable content · Issue #845 · flatpak/flatpak · GitHub | CONFIRM | github.com | Issue Tracking, Patch, Third Party Advisory |
| Flatpak CVE-2017-9780 Local Privilege Escalation Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-3895-1 flatpak | DEBIAN | www.debian.org | Third Party Advisory |
| #865413 - flatpak: CVE-2017-9780: Flatpak security issue - Debian Bug report logs | CONFIRM | bugs.debian.org | Issue Tracking, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.