CVE-2021-43860

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-43860
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-01-12 22:15:00 UTC
Updated2023-12-23 10:15:00 UTC
DescriptionFlatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.

Risk And Classification

Problem Types: CWE-276

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 11.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Operating System Fedoraproject Fedora 35 All All All
Application Flatpak Flatpak All All All All
Application Flatpak Flatpak All All All All
Operating System Redhat Enterprise Linux 8.0 All All All

References

ReferenceSourceLinkTags
Release Release 1.12.3 · flatpak/flatpak · GitHub MISC github.com
Add test for metadata validation · flatpak/flatpak@54ec1a4 · GitHub MISC github.com
Require metadata in commit also for OCI remotes · flatpak/flatpak@93357d3 · GitHub MISC github.com
Debian -- Security Information -- DSA-5049-1 flatpak DEBIAN www.debian.org
Ensure that bundles have metadata on install · flatpak/flatpak@65cbfac · GitHub MISC github.com
Fix metadata file contents after null terminators being ignored · flatpak/flatpak@ba818f5 · GitHub MISC github.com
CVE-2021-43860: Permissions granted to applications can be hidden from the user at install time · Advisory · flatpak/flatpak · GitHub CONFIRM github.com
[SECURITY] Fedora 35 Update: flatpak-1.12.3-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Release Release 1.10.6 · flatpak/flatpak · GitHub MISC github.com
Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security security.gentoo.org
Transaction: Fail the resolve if xa.metadata invalid or missing · flatpak/flatpak@d9a8f9d · GitHub MISC github.com
[SECURITY] Fedora 35 Update: flatpak-1.12.3-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159836 Oracle Enterprise Linux Security Update for flatpak (ELSA-2022-1792)
  • 179013 Debian Security Update for flatpak (DSA 5049-1)
  • 184374 Debian Security Update for flatpak (CVE-2021-43860)
  • 240297 Red Hat Update for flatpak (RHSA-2022:1792)
  • 282251 Fedora Security Update for flatpak (FEDORA-2022-825ca6bf2b)
  • 282319 Fedora Security Update for flatpak (FEDORA-2022-8c64cb0992)
  • 354313 Amazon Linux Security Advisory for flatpak : ALAS2022-2022-179
  • 354489 Amazon Linux Security Advisory for flatpak : ALAS2022-2022-021
  • 502084 Alpine Linux Security Update for flatpak
  • 710812 Gentoo Linux Flatpak Multiple Vulnerabilities (GLSA 202312-12)
  • 751803 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:0712-1)
  • 751816 OpenSUSE Security Update for flatpak (openSUSE-SU-2022:0712-1)
  • 752593 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:3284-1)
  • 940529 AlmaLinux Security Update for flatpak (ALSA-2022:1792)
  • 960317 Rocky Linux Security Update for flatpak (RLSA-2022:1792)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report