{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-21682","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2024-08-03T02:46:39.409Z","dateReserved":"2021-11-16T00:00:00.000Z","datePublished":"2022-01-13T00:00:00.000Z"},"containers":{"cna":{"title":"flatpak-builder can access files outside the build directory.","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-12-23T10:06:21.099Z"},"descriptions":[{"lang":"en","value":"Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`."}],"affected":[{"vendor":"flatpak","product":"flatpak","versions":[{"version":">= 1.11.0, < 1.12.3","status":"affected"},{"version":"< 1.10.6","status":"affected"}]}],"references":[{"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx"},{"url":"https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a"},{"url":"https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa"},{"name":"FEDORA-2022-825ca6bf2b","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/"},{"name":"DSA-5049","tags":["vendor-advisory"],"url":"https://www.debian.org/security/2022/dsa-5049"},{"name":"FEDORA-2022-7e328bd66c","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/"},{"name":"GLSA-202312-12","tags":["vendor-advisory"],"url":"https://security.gentoo.org/glsa/202312-12"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","cweId":"CWE-22"}]}],"source":{"advisory":"GHSA-8ch7-5j3h-g4fx","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T02:46:39.409Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx","tags":["x_transferred"]},{"url":"https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a","tags":["x_transferred"]},{"url":"https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa","tags":["x_transferred"]},{"name":"FEDORA-2022-825ca6bf2b","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/"},{"name":"DSA-5049","tags":["vendor-advisory","x_transferred"],"url":"https://www.debian.org/security/2022/dsa-5049"},{"name":"FEDORA-2022-7e328bd66c","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXKBERLJRYV7KXKGXOLI6IOXVBQNN4DP/"},{"name":"GLSA-202312-12","tags":["vendor-advisory","x_transferred"],"url":"https://security.gentoo.org/glsa/202312-12"}]}]}}