CVE-2022-21682
Public on 2022-01-13
Modified on 2024-08-09
Description
A path traversal vulnerability was found in Flatpak. This happens when flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions.
The CVE can only be fixed by changing the behavior of a package in a way that is not backward compatible. Considering the trade-off between the stability of Amazon Linux 2 and the impact of CVE-2022-21682 a fix will not be provided at this time.
Amazon Linux recommends customers workaround the problem by not building apps from untrusted sources, or isolating flatpak-builder into a virtual machine or a securely-configured container.
The CVE can only be fixed by changing the behavior of a package in a way that is not backward compatible. Considering the trade-off between the stability of Amazon Linux 2 and the impact of CVE-2022-21682 a fix will not be provided at this time.
Amazon Linux recommends customers workaround the problem by not building apps from untrusted sources, or isolating flatpak-builder into a virtual machine or a securely-configured container.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | flatpak | No Fix Planned | ||
| Amazon Linux 2023 | flatpak | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
| NVD | CVSSv2 | 4.0 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
| NVD | CVSSv3 | 7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |