CVE-2021-21381

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-21381
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-03-11 17:15:00 UTC
Updated2023-12-23 10:15:00 UTC
DescriptionFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.

Risk And Classification

Problem Types: CWE-74

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Fedoraproject Fedora 33 All All All
Operating System Fedoraproject Fedora 34 All All All
Application Flatpak Flatpak All All All All

References

ReferenceSourceLinkTags
Release Release 1.10.2 · flatpak/flatpak · GitHub MISC github.com Release Notes, Third Party Advisory
Disallow @@ and @@u magic tokens in desktop files by smcv · Pull Request #4156 · flatpak/flatpak · GitHub MISC github.com Patch, Third Party Advisory
dir: Reserve the whole @@ prefix · flatpak/flatpak@eb7946b · GitHub MISC github.com Patch, Third Party Advisory
Disallow @@ and @@u usage in desktop files · flatpak/flatpak@8279c58 · GitHub MISC github.com Patch, Third Party Advisory
[SECURITY] Fedora 34 Update: flatpak-1.10.2-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 33 Update: flatpak-1.10.2-1.fc33 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Debian -- Security Information -- DSA-4868-1 flatpak DEBIAN www.debian.org Third Party Advisory
Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security security.gentoo.org
[SECURITY] Fedora 33 Update: flatpak-1.10.2-1.fc33 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Sandbox escape via special tokens in .desktop file (flatpak#4146) · Advisory · flatpak/flatpak · GitHub CONFIRM github.com Third Party Advisory
dir: Refuse to export .desktop files with suspicious uses of @@ tokens · flatpak/flatpak@a7401e6 · GitHub MISC github.com Patch, Third Party Advisory
[SECURITY] Fedora 34 Update: flatpak-1.10.2-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159127 Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-1002)
  • 159140 Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-1068)
  • 178523 Debian Security Update for flatpak (DSA 4868-1)
  • 180371 Debian Security Update for flatpak (CVE-2021-21381)
  • 198369 Ubuntu Security Notification for Flatpak vulnerability (USN-4951-1)
  • 239186 Red Hat Update for flatpak (RHSA-2021:1002)
  • 239205 Red Hat Update for flatpak (RHSA-2021:1074)
  • 239206 Red Hat Update for flatpak (RHSA-2021:1073)
  • 239210 Red Hat Update for flatpak (RHSA-2021:1068)
  • 257101 CentOS Security Update for flatpak (CESA-2021:1002)
  • 281511 Fedora Security Update for flatpak (FEDORA-2021-26ad138ffa)
  • 281512 Fedora Security Update for flatpak (FEDORA-2021-fe7decc595)
  • 352263 Amazon Linux Security Advisory for flatpak: ALAS2-2021-1625
  • 377061 Alibaba Cloud Linux Security Update for flatpak (ALINUX2-SA-2021:0016)
  • 377100 Alibaba Cloud Linux Security Update for flatpak (ALINUX3-SA-2021:0023)
  • 670702 EulerOS Security Update for flatpak (EulerOS-SA-2021-2460)
  • 670907 EulerOS Security Update for flatpak (EulerOS-SA-2021-2460)
  • 710812 Gentoo Linux Flatpak Multiple Vulnerabilities (GLSA 202312-12)
  • 752538 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:2990-1)
  • 940181 AlmaLinux Security Update for flatpak (ALSA-2021:1068)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report