CVE-2022-21682

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-21682
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-01-13 21:15:00 UTC
Updated2023-12-23 10:15:00 UTC
DescriptionFlatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.

Risk And Classification

Problem Types: CWE-22

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 11.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Operating System Fedoraproject Fedora 35 All All All
Application Flatpak Flatpak All All All All
Application Flatpak Flatpak-builder All All All All
Operating System Redhat Enterprise Linux 8.0 All All All

References

ReferenceSourceLinkTags
manpages: Document the new details of --nofilesystem behaviour. · flatpak/flatpak@4d11f77 · GitHub MISC github.com
CVE-2022-21682: flatpak-builder --mirror-screenshots-url can access files outside the build directory · Advisory · flatpak/flatpak · GitHub CONFIRM github.com
[SECURITY] Fedora 35 Update: flatpak-builder-1.2.2-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Debian -- Security Information -- DSA-5049-1 flatpak DEBIAN www.debian.org
[SECURITY] Fedora 35 Update: flatpak-1.12.3-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: flatpak-builder-1.2.2-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Make --nofilesystem=host/home remove access to subdirs of those · flatpak/flatpak@445bdde · GitHub MISC github.com
Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security security.gentoo.org
[SECURITY] Fedora 35 Update: flatpak-1.12.3-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160236 Oracle Enterprise Linux Security Update for flatpak-builder (ELSA-2022-7458)
  • 179013 Debian Security Update for flatpak (DSA 5049-1)
  • 240858 Red Hat Update for flatpak-builder (RHSA-2022:7458)
  • 282251 Fedora Security Update for flatpak (FEDORA-2022-825ca6bf2b)
  • 282287 Fedora Security Update for flatpak (FEDORA-2022-7e328bd66c)
  • 282319 Fedora Security Update for flatpak (FEDORA-2022-8c64cb0992)
  • 354313 Amazon Linux Security Advisory for flatpak : ALAS2022-2022-179
  • 354489 Amazon Linux Security Advisory for flatpak : ALAS2022-2022-021
  • 377898 Alibaba Cloud Linux Security Update for flatpak-builder (ALINUX3-SA-2023:0004)
  • 502085 Alpine Linux Security Update for flatpak
  • 502286 Alpine Linux Security Update for flatpak-builder
  • 671417 EulerOS Security Update for flatpak (EulerOS-SA-2022-1343)
  • 710812 Gentoo Linux Flatpak Multiple Vulnerabilities (GLSA 202312-12)
  • 751803 SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:0712-1)
  • 751816 OpenSUSE Security Update for flatpak (openSUSE-SU-2022:0712-1)
  • 940771 AlmaLinux Security Update for flatpak-builder (ALSA-2022:7458)
  • 960384 Rocky Linux Security Update for flatpak-builder (RLSA-2022:7458)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report