CVE-2022-21682

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.12.3 and 1.10.6

Description A path traversal issue affects Flatpak, a Linux application sandboxing and distribution framework. The flatpak-builder applies finish-args last in the build, granting the build directory full access as specified in the manifest. Normally, this is not a problem, but if --mirror-screenshots-url is specified, flatpak-builder launches flatpak build --nofilesystem=host appstream-utils mirror-screenshots after finalization, potentially leading to issues. In normal use, empty directories can be created wherever the user has write permissions. However, a malicious application could replace the appstream-util binary and potentially do something more hostile.

Recommendations For versions prior to 1.12.3, update to version 1.12.3 or later. For versions prior to 1.10.6, update to version 1.10.6 or later. As a temporary workaround, consider avoiding the use of the --mirror-screenshots-url option until the issue is resolved. Restrict access to the appstream-util binary to minimize the risk of exploitation.