NVD脆弱性詳細

CVE-2021-21381

概要	Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/.desktop` (typically `~/.local/share/flatpak/exports/share/applications/.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.
公表日	2021年3月12日2:15
登録日	2021年3月12日10:02
最終更新日	2024年11月21日14:48

CVSS3.1 : HIGH
スコア	8.2
ベクター	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
スコア	5.8
ベクター	AV:N/AC:M/Au:N/C:P/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	はい

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:flatpak:flatpak::::::::		0.9.4			1.10.2

構成2		以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:10.0:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:33:::::::*
cpe:2.3:o:fedoraproject:fedora:34:::::::*

関連情報、対策とツール

No	URL	タグ
1	https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961	Patch Third Party Advisory
2	https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961	Patch Third Party Advisory
3	https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae	Patch Third Party Advisory
4	https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae	Patch Third Party Advisory
5	https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d	Patch Third Party Advisory
6	https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d	Patch Third Party Advisory
7	https://github.com/flatpak/flatpak/pull/4156	Patch Third Party Advisory
8	https://github.com/flatpak/flatpak/pull/4156	Patch Third Party Advisory
9	https://github.com/flatpak/flatpak/releases/tag/1.10.2	Release Notes Third Party Advisory
10	https://github.com/flatpak/flatpak/releases/tag/1.10.2	Release Notes Third Party Advisory
11	https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp	Third Party Advisory
12	https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp	Third Party Advisory
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
17	https://security.gentoo.org/glsa/202312-12
18	https://security.gentoo.org/glsa/202312-12
19	https://www.debian.org/security/2021/dsa-4868	Third Party Advisory
20	https://www.debian.org/security/2021/dsa-4868	Third Party Advisory

共通脆弱性一覧

JVN脆弱性情報

Flatpak におけるインジェクションに関する脆弱性

タイトル	Flatpak におけるインジェクションに関する脆弱性
概要	Flatpak には、インジェクションに関する脆弱性が存在します。
想定される影響	情報を取得される、および情報を改ざんされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2021年3月10日0:00
登録日	2021年11月24日15:53
最終更新日	2021年11月24日15:53

影響を受けるシステム

Debian

Debian GNU/Linux

Fedora Project

Fedora

Flatpak

Flatpak 0.9.4 以上 1.10.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-21381	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21381
National Vulnerability Database (NVD)
2	CVE-2021-21381	https://nvd.nist.gov/vuln/detail/CVE-2021-21381

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-74	https://cwe.mitre.org/data/definitions/74.html

ベンダー情報

No	名前	URL
Debian Security Advisory
1	DSA-4868-1	https://www.debian.org/security/2021/dsa-4868
Fedora Update Notification
2	FEDORA-2021-26ad138ffa	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
3	FEDORA-2021-fe7decc595	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
GitHub
4	dir: Refuse to export .desktop files with suspicious uses of @@ tokens	https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140ae
5	dir: Reserve the whole @@ prefix	https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580d
6	Disallow @@ and @@u magic tokens in desktop files #4156	https://github.com/flatpak/flatpak/pull/4156
7	Disallow @@ and @@U usage in desktop files	https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961
8	Release 1.10.2	https://github.com/flatpak/flatpak/releases/tag/1.10.2
9	Sandbox escape via special tokens in .desktop file (flatpak#4146)	https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp

変更履歴

No	変更内容	変更日
1	[2021年11月24日] 掲載	2021年11月24日15:53