{"api_version":"1","generated_at":"2026-04-12T00:29:52+00:00","cve":"CVE-2021-21381","urls":{"html":"https://cve.report/CVE-2021-21381","api":"https://cve.report/api/cve/CVE-2021-21381.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-21381","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-21381"},"summary":{"title":"CVE-2021-21381","description":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-03-11 17:15:00","updated_at":"2023-12-23 10:15:00"},"problem_types":["CWE-74"],"metrics":[],"references":[{"url":"https://github.com/flatpak/flatpak/releases/tag/1.10.2","name":"https://github.com/flatpak/flatpak/releases/tag/1.10.2","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"Release Release 1.10.2 · flatpak/flatpak · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/flatpak/flatpak/pull/4156","name":"https://github.com/flatpak/flatpak/pull/4156","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Disallow @@ and @@u magic tokens in desktop files by smcv · Pull Request #4156 · flatpak/flatpak · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d","name":"https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"dir: Reserve the whole @@ prefix · flatpak/flatpak@eb7946b · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961","name":"https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Disallow @@ and @@u usage in desktop files · flatpak/flatpak@8279c58 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/","name":"FEDORA-2021-fe7decc595","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: flatpak-1.10.2-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/","name":"FEDORA-2021-26ad138ffa","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: flatpak-1.10.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2021/dsa-4868","name":"DSA-4868","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-4868-1 flatpak","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202312-12","name":"GLSA-202312-12","refsource":"","tags":[],"title":"Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/","name":"FEDORA-2021-26ad138ffa","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: flatpak-1.10.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp","name":"https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Sandbox escape via special tokens in .desktop file (flatpak#4146) · Advisory · flatpak/flatpak · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae","name":"https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"dir: Refuse to export .desktop files with suspicious uses of @@ tokens · flatpak/flatpak@a7401e6 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/","name":"FEDORA-2021-fe7decc595","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: flatpak-1.10.2-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-21381","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21381","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"21381","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21381","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21381","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21381","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"flatpak","cpe5":"flatpak","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-21381","qid":"159127","title":"Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-1002)"},{"cve":"CVE-2021-21381","qid":"159140","title":"Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-1068)"},{"cve":"CVE-2021-21381","qid":"178523","title":"Debian Security Update for flatpak (DSA 4868-1)"},{"cve":"CVE-2021-21381","qid":"180371","title":"Debian Security Update for flatpak (CVE-2021-21381)"},{"cve":"CVE-2021-21381","qid":"198369","title":"Ubuntu Security Notification for Flatpak vulnerability (USN-4951-1)"},{"cve":"CVE-2021-21381","qid":"239186","title":"Red Hat Update for flatpak (RHSA-2021:1002)"},{"cve":"CVE-2021-21381","qid":"239205","title":"Red Hat Update for flatpak (RHSA-2021:1074)"},{"cve":"CVE-2021-21381","qid":"239206","title":"Red Hat Update for flatpak (RHSA-2021:1073)"},{"cve":"CVE-2021-21381","qid":"239210","title":"Red Hat Update for flatpak (RHSA-2021:1068)"},{"cve":"CVE-2021-21381","qid":"257101","title":"CentOS Security Update for flatpak (CESA-2021:1002)"},{"cve":"CVE-2021-21381","qid":"281511","title":"Fedora Security Update for flatpak (FEDORA-2021-26ad138ffa)"},{"cve":"CVE-2021-21381","qid":"281512","title":"Fedora Security Update for flatpak (FEDORA-2021-fe7decc595)"},{"cve":"CVE-2021-21381","qid":"352263","title":"Amazon Linux Security Advisory for flatpak: ALAS2-2021-1625"},{"cve":"CVE-2021-21381","qid":"377061","title":"Alibaba Cloud Linux Security Update for flatpak (ALINUX2-SA-2021:0016)"},{"cve":"CVE-2021-21381","qid":"377100","title":"Alibaba Cloud Linux Security Update for flatpak (ALINUX3-SA-2021:0023)"},{"cve":"CVE-2021-21381","qid":"670702","title":"EulerOS Security Update for flatpak (EulerOS-SA-2021-2460)"},{"cve":"CVE-2021-21381","qid":"670907","title":"EulerOS Security Update for flatpak (EulerOS-SA-2021-2460)"},{"cve":"CVE-2021-21381","qid":"710812","title":"Gentoo Linux Flatpak Multiple Vulnerabilities (GLSA 202312-12)"},{"cve":"CVE-2021-21381","qid":"752538","title":"SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2022:2990-1)"},{"cve":"CVE-2021-21381","qid":"940181","title":"AlmaLinux Security Update for flatpak (ALSA-2021:1068)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-21381","STATE":"PUBLIC","TITLE":"Sandbox escape via special tokens in .desktop file"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"flatpak","version":{"version_data":[{"version_value":">= 0.9.4, < 1.10.2"}]}}]},"vendor_name":"flatpak"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]},"references":{"reference_data":[{"name":"https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp","refsource":"CONFIRM","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp"},{"name":"https://github.com/flatpak/flatpak/pull/4156","refsource":"MISC","url":"https://github.com/flatpak/flatpak/pull/4156"},{"name":"https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961","refsource":"MISC","url":"https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961"},{"name":"https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae","refsource":"MISC","url":"https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae"},{"name":"https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d","refsource":"MISC","url":"https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d"},{"name":"https://github.com/flatpak/flatpak/releases/tag/1.10.2","refsource":"MISC","url":"https://github.com/flatpak/flatpak/releases/tag/1.10.2"},{"refsource":"DEBIAN","name":"DSA-4868","url":"https://www.debian.org/security/2021/dsa-4868"},{"refsource":"FEDORA","name":"FEDORA-2021-26ad138ffa","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/"},{"refsource":"FEDORA","name":"FEDORA-2021-fe7decc595","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/"}]},"source":{"advisory":"GHSA-xgh4-387p-hqpp","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-03-11 17:15:00","lastModifiedDate":"2023-12-23 10:15:00","problem_types":["CWE-74"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.8},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","versionStartIncluding":"0.9.4","versionEndExcluding":"1.10.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"21381","Ordinal":"195507","Title":"CVE-2021-21381","CVE":"CVE-2021-21381","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"21381","Ordinal":"1","NoteData":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"21381","Ordinal":"2","NoteData":"2021-03-11","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"21381","Ordinal":"3","NoteData":"2021-03-19","Type":"Other","Title":"Modified"}]}}}