CVE-2017-9780

21.06.2017, 15:29

In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
flatpak	flatpak	𝑥 ≤ 0.8.6
debian	debian_linux	9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

flatpak

bullseye (security)	1.10.8-0+deb11u2 fixed
bullseye	1.10.8-0+deb11u2 fixed
bookworm	1.14.10-1~deb12u1 fixed
bookworm (security)	1.14.10-1~deb12u1 fixed
sid	1.14.10-1 fixed
trixie	1.14.10-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

flatpak

cosmic	not-affected
bionic	not-affected
artful	ignored
zesty	ignored
yakkety	ignored
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

http://www.debian.org/security/2017/dsa-3895

http://www.securityfocus.com/bid/99346

https://bugs.debian.org/865413

https://github.com/flatpak/flatpak/issues/845

http://www.debian.org/security/2017/dsa-3895

http://www.securityfocus.com/bid/99346

https://bugs.debian.org/865413

https://github.com/flatpak/flatpak/issues/845