CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
13.0%
A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. Normally, the “–command” argument of “flatpak run” expects being given a command to run in the specified Flatpak app, along with optional arguments. However, it is possible to pass bwrap arguments to “–command=” instead, such as “–bind”. It is possible to pass an arbitrary “commandline” to the portal interface “org.freedesktop.portal.Background.RequestBackground” within the Flatpak app. This is normally safe because it can only specify a command that exists inside the sandbox. When a crafted “commandline” is converted into a “–command” and arguments, the app could achieve the same effect of passing arguments directly to bwrap to achieve sandbox escape.
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.