Vulnerability-Lookup

CVE-2024-32462 (GCVE-0-2024-32462)

Vulnerability from cvelistv5 – Published: 2024-04-18 18:11 – Updated: 2025-12-16 18:13

Title

Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing

Summary

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.

Severity

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Assigner

GitHub_M

References

8 references

URL	Tags
https://github.com/flatpak/flatpak/security/advis…	x_refsource_CONFIRM
https://github.com/flatpak/flatpak/commit/72016e3…	x_refsource_MISC
https://github.com/flatpak/flatpak/commit/81abe2a…	x_refsource_MISC
https://github.com/flatpak/flatpak/commit/b7c1a55…	x_refsource_MISC
https://github.com/flatpak/flatpak/commit/bbab7ed…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…
https://lists.fedoraproject.org/archives/list/pac…
http://www.openwall.com/lists/oss-security/2024/04/18/5

Impacted products

1 product

Vendor	Product	Version
flatpak	flatpak	Affected: < 1.10.9 Affected: >= 1.12.0, < 1.12.9 Affected: >= 1.14.0, < 1.14.6 Affected: >= 1.15.0, < 1.15.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "flatpak",
            "vendor": "flatpak",
            "versions": [
              {
                "lessThan": "1.15.8",
                "status": "affected",
                "version": "1.15.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32462",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-20T04:00:12.336436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T18:13:22.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:13:39.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flatpak",
          "vendor": "flatpak",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.12.0, \u003c 1.12.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.14.0, \u003c 1.14.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.15.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T18:07:39.466Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
        }
      ],
      "source": {
        "advisory": "GHSA-phv6-cpc2-2fgj",
        "discovery": "UNKNOWN"
      },
      "title": "Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32462",
    "datePublished": "2024-04-18T18:11:27.680Z",
    "dateReserved": "2024-04-12T19:41:51.164Z",
    "dateUpdated": "2025-12-16T18:13:22.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-32462",
      "date": "2026-05-27",
      "epss": "0.00247",
      "percentile": "0.47989"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.\"}, {\"lang\": \"es\", \"value\": \"Flatpak es un sistema para crear, distribuir y ejecutar aplicaciones de escritorio en espacio aislado en Linux. en versiones anteriores a la 1.10.9, 1.12.9, 1.14.6 y 1.15.8, una aplicaci\\u00f3n Flatpak maliciosa o comprometida podr\\u00eda ejecutar c\\u00f3digo arbitrario fuera de su zona de pruebas. Normalmente, el argumento `--command` de `flatpak run` espera recibir un comando para ejecutar en la aplicaci\\u00f3n Flatpak especificada, opcionalmente junto con algunos argumentos. Sin embargo, es posible pasar argumentos `bwrap` a `--command=`, como `--bind`. Es posible pasar una \\\"l\\u00ednea de comando\\\" arbitraria a la interfaz del portal \\\"org.freedesktop.portal.Background.RequestBackground\\\" desde una aplicaci\\u00f3n Flatpak. Cuando esto se convierte en un `--command` y argumentos, logra el mismo efecto de pasar argumentos directamente a `bwrap` y, por lo tanto, puede usarse para un escape sandbox. La soluci\\u00f3n es pasar el argumento `--` a `bwrap`, lo que hace que deje de procesar las opciones. Esto ha sido compatible desde bubblewrap 0.3.0. Todas las versiones compatibles de Flatpak requieren al menos esa versi\\u00f3n de bubblewrap. xdg-desktop-portal versi\\u00f3n 1.18.4 mitigar\\u00e1 esta vulnerabilidad al permitir que las aplicaciones Flatpak solo creen archivos .desktop para comandos que no comiencen con --. La vulnerabilidad est\\u00e1 parcheada en 1.15.8, 1.10.9, 1.12.9 y 1.14.6.\"}]",
      "id": "CVE-2024-32462",
      "lastModified": "2024-11-21T09:14:57.853",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.0, \"impactScore\": 5.8}]}",
      "published": "2024-04-18T18:15:09.313",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2024/04/18/5\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/04/18/5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-88\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-32462\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-18T18:15:09.313\",\"lastModified\":\"2025-08-21T00:43:47.783\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.\"},{\"lang\":\"es\",\"value\":\"Flatpak es un sistema para crear, distribuir y ejecutar aplicaciones de escritorio en espacio aislado en Linux. en versiones anteriores a la 1.10.9, 1.12.9, 1.14.6 y 1.15.8, una aplicaci\u00f3n Flatpak maliciosa o comprometida podr\u00eda ejecutar c\u00f3digo arbitrario fuera de su zona de pruebas. Normalmente, el argumento `--command` de `flatpak run` espera recibir un comando para ejecutar en la aplicaci\u00f3n Flatpak especificada, opcionalmente junto con algunos argumentos. Sin embargo, es posible pasar argumentos `bwrap` a `--command=`, como `--bind`. Es posible pasar una \\\"l\u00ednea de comando\\\" arbitraria a la interfaz del portal \\\"org.freedesktop.portal.Background.RequestBackground\\\" desde una aplicaci\u00f3n Flatpak. Cuando esto se convierte en un `--command` y argumentos, logra el mismo efecto de pasar argumentos directamente a `bwrap` y, por lo tanto, puede usarse para un escape sandbox. La soluci\u00f3n es pasar el argumento `--` a `bwrap`, lo que hace que deje de procesar las opciones. Esto ha sido compatible desde bubblewrap 0.3.0. Todas las versiones compatibles de Flatpak requieren al menos esa versi\u00f3n de bubblewrap. xdg-desktop-portal versi\u00f3n 1.18.4 mitigar\u00e1 esta vulnerabilidad al permitir que las aplicaciones Flatpak solo creen archivos .desktop para comandos que no comiencen con --. La vulnerabilidad est\u00e1 parcheada en 1.15.8, 1.10.9, 1.12.9 y 1.14.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-88\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.9\",\"matchCriteriaId\":\"E60FCEB3-549B-4F83-8BF1-87B9AB1A4D91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.12.0\",\"versionEndExcluding\":\"1.12.9\",\"matchCriteriaId\":\"B8FCD122-12F7-46AC-AFBA-45303E6F4761\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.14.0\",\"versionEndExcluding\":\"1.14.6\",\"matchCriteriaId\":\"E1CCDB8B-00D2-4C89-A148-DB50CC4A940A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.15.8\",\"matchCriteriaId\":\"AC3F3728-D443-4387-B00E-A559883BBAF3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA277A6C-83EC-4536-9125-97B84C4FAF59\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/04/18/5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/04/18/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\", \"name\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\", \"name\": \"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\", \"name\": \"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\", \"name\": \"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\", \"name\": \"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/04/18/5\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:13:39.161Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32462\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-20T04:00:12.336436Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*\"], \"vendor\": \"flatpak\", \"product\": \"flatpak\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.15.0\", \"lessThan\": \"1.15.8\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-24T14:11:16.557Z\"}}], \"cna\": {\"title\": \"Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing\", \"source\": {\"advisory\": \"GHSA-phv6-cpc2-2fgj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"flatpak\", \"product\": \"flatpak\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.10.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.12.0, \u003c 1.12.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.14.0, \u003c 1.14.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.15.0, \u003c 1.15.8\"}]}], \"references\": [{\"url\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\", \"name\": \"https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\", \"name\": \"https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\", \"name\": \"https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\", \"name\": \"https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\", \"name\": \"https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/04/18/5\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-88\", \"description\": \"CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-01T18:07:39.466Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32462\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-16T18:13:22.363Z\", \"dateReserved\": \"2024-04-12T19:41:51.164Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-04-18T18:11:27.680Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2025-AVI-0018

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Juniper Networks. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Juniper Networks	Junos OS	Junos OS versions 22.4.x antérieures à 22.4R3-S5
Juniper Networks	Junos Space	Junos Space versions antérieures à 24.1R2
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions antérieures à 21.2R3-S9-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 23.4.x-EVO antérieures à 23.4R2-S3-EVO
Juniper Networks	Junos OS	Junos OS versions 24.2.x antérieures à 24.2R1-S2 et 24.2R2
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 23.2.x-EVO antérieures à 23.2R2-S3-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 21.4.x-EVO antérieures à 21.4R3-S10-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 22.4.x-EVO antérieures à 22.4R3-S5-EVO
Juniper Networks	Junos OS	Junos OS versions 22.2.x antérieures à 22.2R3-S5
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 22.3.x-EVO antérieures à 22.3R3-S4-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 24.2.x-EVO antérieures à 24.2R1-S2-EVO et 24.2R2-EVO
Juniper Networks	Junos OS	Junos OS versions 22.3.x antérieures à 22.3R3-S4
Juniper Networks	Junos OS	Junos OS versions 23.4.x antérieures à 23.4R2-S3
Juniper Networks	Junos OS	Junos OS versions 21.4.x antérieures à 21.4R3-S10
Juniper Networks	Junos OS	Junos OS versions 23.2.x antérieures à 23.2R2-S3
Juniper Networks	Junos OS	Junos OS versions antérieures à 21.2R3-S9
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 22.2.x-EVO antérieures à 22.2R3-S5-EVO

References

Title

Publication Time

CERTFR-2025-AVI-0018

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Juniper Networks	Junos OS	Junos OS versions 22.4.x antérieures à 22.4R3-S5
Juniper Networks	Junos Space	Junos Space versions antérieures à 24.1R2
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions antérieures à 21.2R3-S9-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 23.4.x-EVO antérieures à 23.4R2-S3-EVO
Juniper Networks	Junos OS	Junos OS versions 24.2.x antérieures à 24.2R1-S2 et 24.2R2
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 23.2.x-EVO antérieures à 23.2R2-S3-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 21.4.x-EVO antérieures à 21.4R3-S10-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 22.4.x-EVO antérieures à 22.4R3-S5-EVO
Juniper Networks	Junos OS	Junos OS versions 22.2.x antérieures à 22.2R3-S5
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 22.3.x-EVO antérieures à 22.3R3-S4-EVO
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 24.2.x-EVO antérieures à 24.2R1-S2-EVO et 24.2R2-EVO
Juniper Networks	Junos OS	Junos OS versions 22.3.x antérieures à 22.3R3-S4
Juniper Networks	Junos OS	Junos OS versions 23.4.x antérieures à 23.4R2-S3
Juniper Networks	Junos OS	Junos OS versions 21.4.x antérieures à 21.4R3-S10
Juniper Networks	Junos OS	Junos OS versions 23.2.x antérieures à 23.2R2-S3
Juniper Networks	Junos OS	Junos OS versions antérieures à 21.2R3-S9
Juniper Networks	Junos OS Evolved	Junos OS Evolved versions 22.2.x-EVO antérieures à 22.2R3-S5-EVO

References

Title

Publication Time

alsa-2024:3959

Vulnerability from osv_almalinux

Published

2024-06-17 00:00

Modified

2024-06-19 09:13

Summary

Important: flatpak security update

Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

Security Fix(es):

flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:3959	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-32462	REPORT
	https://bugzilla.redhat.com/2275981	REPORT
	https://errata.almalinux.org/9/ALSA-2024-3959.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "flatpak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "flatpak-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "flatpak-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "flatpak-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "flatpak-session-helper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es):\n\n* flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:3959",
  "modified": "2024-06-19T09:13:38Z",
  "published": "2024-06-17T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:3959"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-32462"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2275981"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-3959.html"
    }
  ],
  "related": [
    "CVE-2024-32462"
  ],
  "summary": "Important: flatpak security update"
}

alsa-2024:3961

Vulnerability from osv_almalinux

Published

2024-06-17 00:00

Modified

2024-06-19 09:15

Summary

Important: flatpak security update

Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

Security Fix(es):

flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:3961	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-32462	REPORT
	https://bugzilla.redhat.com/2275981	REPORT
	https://errata.almalinux.org/8/ALSA-2024-3961.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "flatpak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "flatpak-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "flatpak-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "flatpak-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "flatpak-session-helper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es):\n\n* flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:3961",
  "modified": "2024-06-19T09:15:05Z",
  "published": "2024-06-17T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:3961"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-32462"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2275981"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-3961.html"
    }
  ],
  "related": [
    "CVE-2024-32462"
  ],
  "summary": "Important: flatpak security update"
}

BDU:2024-03113

Vulnerability from fstec - Published: 18.04.2024

Title

Уязвимость интерфейса xdg-desktop-portal инструмента для управления приложениями и средами Flatpak, позволяющая нарушителю выйти из изолированной программной среды и получить доступ к файлам в базовой системе

Description

Уязвимость интерфейса xdg-desktop-portal инструмента для управления приложениями и средами Flatpak связана с внедрением или модификацией аргументов. Эксплуатация уязвимости может позволить нарушителю выйти из изолированной программной среды и получить доступ к файлам в базовой системе

Severity


                    
                      AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Vendor

ООО «Ред Софт», АО «НТЦ ИТ РОСА», Сообщество свободного программного обеспечения, АО "НППКТ"

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), РОСА Кобальт (запись в едином реестре российских программ №1999), РОСА ХРОМ (запись в едином реестре российских программ №1607), Flatpak, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)

Software Version

7.3 (РЕД ОС), 7.9 (РОСА Кобальт), 12.4 (РОСА ХРОМ), до 1.10.9 (Flatpak), от 1.12.0 до 1.12.9 (Flatpak), от 1.14.0 до 1.14.6 (Flatpak), от 1.15.0 до 1.15.8 (Flatpak), до 2.14 (ОСОН ОСнова Оnyx)

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - использование при запуске нестатической команды bwrap «--»; - минимизация пользовательских привилегий; - отключение/удаление неиспользуемых учётных записей пользователей. Использование рекомендаций производителя: https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для ОС РОСА "КОБАЛЬТ": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487 Для ОС РОСА "КОБАЛЬТ": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487 Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2025-3004 Обновление программного обеспечения flatpak до версии 1.10.8-0+deb11u3.osnova2u1

Reference

https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ https://abf.rosa.ru/advisories/ROSA-SA-2024-2487 https://abf.rosa.ru/advisories/ROSA-SA-2024-2487 https://abf.rosa.ru/advisories/ROSA-SA-2025-3004 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.14/

CWE

CWE-88

JSON

To clipboard

{
  "CVSS 2.0": "AV:L/AC:L/Au:S/C:C/I:C/A:N",
  "CVSS 3.0": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), 7.9 (\u0420\u041e\u0421\u0410 \u041a\u043e\u0431\u0430\u043b\u044c\u0442), 12.4 (\u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c), \u0434\u043e 1.10.9 (Flatpak), \u043e\u0442 1.12.0 \u0434\u043e 1.12.9 (Flatpak), \u043e\u0442 1.14.0 \u0434\u043e 1.14.6 (Flatpak), \u043e\u0442 1.15.0 \u0434\u043e 1.15.8 (Flatpak), \u0434\u043e 2.14 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432.\n\u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u0440\u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0435 \u043d\u0435\u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b bwrap \u00ab--\u00bb;\n- \u043c\u0438\u043d\u0438\u043c\u0438\u0437\u0430\u0446\u0438\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439;\n- \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435/\u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u043d\u0435\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\nhttps://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\nhttps://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\nhttps://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\nhttps://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421 \u0420\u041e\u0421\u0410 \"\u041a\u041e\u0411\u0410\u041b\u042c\u0422\": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487\n\n\u0414\u043b\u044f \u041e\u0421 \u0420\u041e\u0421\u0410 \"\u041a\u041e\u0411\u0410\u041b\u042c\u0422\": https://abf.rosa.ru/advisories/ROSA-SA-2024-2487\n\n\u0414\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c: https://abf.rosa.ru/advisories/ROSA-SA-2025-3004\n\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f flatpak \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.10.8-0+deb11u3.osnova2u1",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "18.04.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.10.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "19.04.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-03113",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-32462",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0420\u041e\u0421\u0410 \u041a\u043e\u0431\u0430\u043b\u044c\u0442 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161999), \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), Flatpak, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u041a\u043e\u0431\u0430\u043b\u044c\u0442 7.9  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161999), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c 12.4  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.14  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 xdg-desktop-portal \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0438 \u0441\u0440\u0435\u0434\u0430\u043c\u0438 Flatpak, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0439\u0442\u0438 \u0438\u0437 \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u044b \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0444\u0430\u0439\u043b\u0430\u043c \u0432 \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0438\u043b\u0438 \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u0430 (CWE-88)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 xdg-desktop-portal \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0438 \u0441\u0440\u0435\u0434\u0430\u043c\u0438 Flatpak \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435\u043c \u0438\u043b\u0438 \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0435\u0439 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0439\u0442\u0438 \u0438\u0437 \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u044b \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0444\u0430\u0439\u043b\u0430\u043c \u0432 \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d\nhttps://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97\nhttps://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e\nhttps://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931\nhttps://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://abf.rosa.ru/advisories/ROSA-SA-2024-2487\nhttps://abf.rosa.ru/advisories/ROSA-SA-2024-2487\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-3004\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.14/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-88",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,2)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,4)"
}

FKIE_CVE-2024-32462

Vulnerability from fkie_nvd - Published: 2024-04-18 18:15 - Updated: 2025-08-21 00:43

Severity

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	http://www.openwall.com/lists/oss-security/2024/04/18/5	Mailing List, Third Party Advisory
security-advisories@github.com	https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d	Patch
security-advisories@github.com	https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97	Patch
security-advisories@github.com	https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e	Patch
security-advisories@github.com	https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931	Patch
security-advisories@github.com	https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj	Vendor Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/04/18/5	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/	Mailing List

Impacted products

Vendor	Product	Version
flatpak	flatpak	*
flatpak	flatpak	*
flatpak	flatpak	*
flatpak	flatpak	*
fedoraproject	fedora	39
fedoraproject	fedora	40

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E60FCEB3-549B-4F83-8BF1-87B9AB1A4D91",
              "versionEndExcluding": "1.10.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8FCD122-12F7-46AC-AFBA-45303E6F4761",
              "versionEndExcluding": "1.12.9",
              "versionStartIncluding": "1.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1CCDB8B-00D2-4C89-A148-DB50CC4A940A",
              "versionEndExcluding": "1.14.6",
              "versionStartIncluding": "1.14.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC3F3728-D443-4387-B00E-A559883BBAF3",
              "versionEndExcluding": "1.15.8",
              "versionStartIncluding": "1.15.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6."
    },
    {
      "lang": "es",
      "value": "Flatpak es un sistema para crear, distribuir y ejecutar aplicaciones de escritorio en espacio aislado en Linux. en versiones anteriores a la 1.10.9, 1.12.9, 1.14.6 y 1.15.8, una aplicaci\u00f3n Flatpak maliciosa o comprometida podr\u00eda ejecutar c\u00f3digo arbitrario fuera de su zona de pruebas. Normalmente, el argumento `--command` de `flatpak run` espera recibir un comando para ejecutar en la aplicaci\u00f3n Flatpak especificada, opcionalmente junto con algunos argumentos. Sin embargo, es posible pasar argumentos `bwrap` a `--command=`, como `--bind`. Es posible pasar una \"l\u00ednea de comando\" arbitraria a la interfaz del portal \"org.freedesktop.portal.Background.RequestBackground\" desde una aplicaci\u00f3n Flatpak. Cuando esto se convierte en un `--command` y argumentos, logra el mismo efecto de pasar argumentos directamente a `bwrap` y, por lo tanto, puede usarse para un escape sandbox. La soluci\u00f3n es pasar el argumento `--` a `bwrap`, lo que hace que deje de procesar las opciones. Esto ha sido compatible desde bubblewrap 0.3.0. Todas las versiones compatibles de Flatpak requieren al menos esa versi\u00f3n de bubblewrap. xdg-desktop-portal versi\u00f3n 1.18.4 mitigar\u00e1 esta vulnerabilidad al permitir que las aplicaciones Flatpak solo creen archivos .desktop para comandos que no comiencen con --. La vulnerabilidad est\u00e1 parcheada en 1.15.8, 1.10.9, 1.12.9 y 1.14.6."
    }
  ],
  "id": "CVE-2024-32462",
  "lastModified": "2025-08-21T00:43:47.783",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-18T18:15:09.313",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-88"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2024-32462

Vulnerability from gsd - Updated: 2024-04-13 05:02

Details

Aliases

CVE-2024-32462

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-32462"
      ],
      "details": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.",
      "id": "GSD-2024-32462",
      "modified": "2024-04-13T05:02:29.046935Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-32462",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "flatpak",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.10.9"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.12.0, \u003c 1.12.9"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.14.0, \u003c 1.14.6"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.15.0, \u003c 1.15.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "flatpak"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-88",
                "lang": "eng",
                "value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
            "refsource": "MISC",
            "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
            "refsource": "MISC",
            "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
            "refsource": "MISC",
            "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
            "refsource": "MISC",
            "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
            "refsource": "MISC",
            "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-phv6-cpc2-2fgj",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6."
          },
          {
            "lang": "es",
            "value": "Flatpak es un sistema para crear, distribuir y ejecutar aplicaciones de escritorio en espacio aislado en Linux. en versiones anteriores a la 1.10.9, 1.12.9, 1.14.6 y 1.15.8, una aplicaci\u00f3n Flatpak maliciosa o comprometida podr\u00eda ejecutar c\u00f3digo arbitrario fuera de su zona de pruebas. Normalmente, el argumento `--command` de `flatpak run` espera recibir un comando para ejecutar en la aplicaci\u00f3n Flatpak especificada, opcionalmente junto con algunos argumentos. Sin embargo, es posible pasar argumentos `bwrap` a `--command=`, como `--bind`. Es posible pasar una \"l\u00ednea de comando\" arbitraria a la interfaz del portal \"org.freedesktop.portal.Background.RequestBackground\" desde una aplicaci\u00f3n Flatpak. Cuando esto se convierte en un `--command` y argumentos, logra el mismo efecto de pasar argumentos directamente a `bwrap` y, por lo tanto, puede usarse para un escape sandbox. La soluci\u00f3n es pasar el argumento `--` a `bwrap`, lo que hace que deje de procesar las opciones. Esto ha sido compatible desde bubblewrap 0.3.0. Todas las versiones compatibles de Flatpak requieren al menos esa versi\u00f3n de bubblewrap. xdg-desktop-portal versi\u00f3n 1.18.4 mitigar\u00e1 esta vulnerabilidad al permitir que las aplicaciones Flatpak solo creen archivos .desktop para comandos que no comiencen con --. La vulnerabilidad est\u00e1 parcheada en 1.15.8, 1.10.9, 1.12.9 y 1.14.6."
          }
        ],
        "id": "CVE-2024-32462",
        "lastModified": "2024-04-25T06:15:59.887",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.0,
              "impactScore": 5.8,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-18T18:15:09.313",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-88"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

OPENSUSE-SU-2024:13899-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

flatpak-1.15.8-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: flatpak-1.15.8-1.1 on GA media

Description of the patch: These are all security issues fixed in the flatpak-1.15.8-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13899

CVE-2024-32462

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

Recommended 32 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:flatpak-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2024-32462/	self
https://www.suse.com/security/cve/CVE-2024-32462	external
https://bugzilla.suse.com/1223110	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "flatpak-1.15.8-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the flatpak-1.15.8-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13899",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13899-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32462 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32462/"
      }
    ],
    "title": "flatpak-1.15.8-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13899-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-1.15.8-1.1.aarch64",
                "product": {
                  "name": "flatpak-1.15.8-1.1.aarch64",
                  "product_id": "flatpak-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-devel-1.15.8-1.1.aarch64",
                "product": {
                  "name": "flatpak-devel-1.15.8-1.1.aarch64",
                  "product_id": "flatpak-devel-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-remote-flathub-1.15.8-1.1.aarch64",
                "product": {
                  "name": "flatpak-remote-flathub-1.15.8-1.1.aarch64",
                  "product_id": "flatpak-remote-flathub-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-selinux-1.15.8-1.1.aarch64",
                "product": {
                  "name": "flatpak-selinux-1.15.8-1.1.aarch64",
                  "product_id": "flatpak-selinux-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-zsh-completion-1.15.8-1.1.aarch64",
                "product": {
                  "name": "flatpak-zsh-completion-1.15.8-1.1.aarch64",
                  "product_id": "flatpak-zsh-completion-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libflatpak0-1.15.8-1.1.aarch64",
                "product": {
                  "name": "libflatpak0-1.15.8-1.1.aarch64",
                  "product_id": "libflatpak0-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "system-user-flatpak-1.15.8-1.1.aarch64",
                "product": {
                  "name": "system-user-flatpak-1.15.8-1.1.aarch64",
                  "product_id": "system-user-flatpak-1.15.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64",
                "product": {
                  "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64",
                  "product_id": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "flatpak-1.15.8-1.1.ppc64le",
                  "product_id": "flatpak-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-devel-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "flatpak-devel-1.15.8-1.1.ppc64le",
                  "product_id": "flatpak-devel-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-remote-flathub-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "flatpak-remote-flathub-1.15.8-1.1.ppc64le",
                  "product_id": "flatpak-remote-flathub-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-selinux-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "flatpak-selinux-1.15.8-1.1.ppc64le",
                  "product_id": "flatpak-selinux-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-zsh-completion-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "flatpak-zsh-completion-1.15.8-1.1.ppc64le",
                  "product_id": "flatpak-zsh-completion-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libflatpak0-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "libflatpak0-1.15.8-1.1.ppc64le",
                  "product_id": "libflatpak0-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "system-user-flatpak-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "system-user-flatpak-1.15.8-1.1.ppc64le",
                  "product_id": "system-user-flatpak-1.15.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le",
                "product": {
                  "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le",
                  "product_id": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-1.15.8-1.1.s390x",
                "product": {
                  "name": "flatpak-1.15.8-1.1.s390x",
                  "product_id": "flatpak-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-devel-1.15.8-1.1.s390x",
                "product": {
                  "name": "flatpak-devel-1.15.8-1.1.s390x",
                  "product_id": "flatpak-devel-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-remote-flathub-1.15.8-1.1.s390x",
                "product": {
                  "name": "flatpak-remote-flathub-1.15.8-1.1.s390x",
                  "product_id": "flatpak-remote-flathub-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-selinux-1.15.8-1.1.s390x",
                "product": {
                  "name": "flatpak-selinux-1.15.8-1.1.s390x",
                  "product_id": "flatpak-selinux-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-zsh-completion-1.15.8-1.1.s390x",
                "product": {
                  "name": "flatpak-zsh-completion-1.15.8-1.1.s390x",
                  "product_id": "flatpak-zsh-completion-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libflatpak0-1.15.8-1.1.s390x",
                "product": {
                  "name": "libflatpak0-1.15.8-1.1.s390x",
                  "product_id": "libflatpak0-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "system-user-flatpak-1.15.8-1.1.s390x",
                "product": {
                  "name": "system-user-flatpak-1.15.8-1.1.s390x",
                  "product_id": "system-user-flatpak-1.15.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x",
                "product": {
                  "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x",
                  "product_id": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "flatpak-1.15.8-1.1.x86_64",
                "product": {
                  "name": "flatpak-1.15.8-1.1.x86_64",
                  "product_id": "flatpak-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-devel-1.15.8-1.1.x86_64",
                "product": {
                  "name": "flatpak-devel-1.15.8-1.1.x86_64",
                  "product_id": "flatpak-devel-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-remote-flathub-1.15.8-1.1.x86_64",
                "product": {
                  "name": "flatpak-remote-flathub-1.15.8-1.1.x86_64",
                  "product_id": "flatpak-remote-flathub-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-selinux-1.15.8-1.1.x86_64",
                "product": {
                  "name": "flatpak-selinux-1.15.8-1.1.x86_64",
                  "product_id": "flatpak-selinux-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "flatpak-zsh-completion-1.15.8-1.1.x86_64",
                "product": {
                  "name": "flatpak-zsh-completion-1.15.8-1.1.x86_64",
                  "product_id": "flatpak-zsh-completion-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libflatpak0-1.15.8-1.1.x86_64",
                "product": {
                  "name": "libflatpak0-1.15.8-1.1.x86_64",
                  "product_id": "libflatpak0-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "system-user-flatpak-1.15.8-1.1.x86_64",
                "product": {
                  "name": "system-user-flatpak-1.15.8-1.1.x86_64",
                  "product_id": "system-user-flatpak-1.15.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64",
                "product": {
                  "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64",
                  "product_id": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-1.15.8-1.1.aarch64"
        },
        "product_reference": "flatpak-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-1.15.8-1.1.ppc64le"
        },
        "product_reference": "flatpak-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-1.15.8-1.1.s390x"
        },
        "product_reference": "flatpak-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-1.15.8-1.1.x86_64"
        },
        "product_reference": "flatpak-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-devel-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.aarch64"
        },
        "product_reference": "flatpak-devel-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-devel-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.ppc64le"
        },
        "product_reference": "flatpak-devel-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-devel-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.s390x"
        },
        "product_reference": "flatpak-devel-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-devel-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.x86_64"
        },
        "product_reference": "flatpak-devel-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-remote-flathub-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.aarch64"
        },
        "product_reference": "flatpak-remote-flathub-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-remote-flathub-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.ppc64le"
        },
        "product_reference": "flatpak-remote-flathub-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-remote-flathub-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.s390x"
        },
        "product_reference": "flatpak-remote-flathub-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-remote-flathub-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.x86_64"
        },
        "product_reference": "flatpak-remote-flathub-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.aarch64"
        },
        "product_reference": "flatpak-selinux-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.ppc64le"
        },
        "product_reference": "flatpak-selinux-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.s390x"
        },
        "product_reference": "flatpak-selinux-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-selinux-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.x86_64"
        },
        "product_reference": "flatpak-selinux-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-zsh-completion-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.aarch64"
        },
        "product_reference": "flatpak-zsh-completion-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-zsh-completion-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.ppc64le"
        },
        "product_reference": "flatpak-zsh-completion-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-zsh-completion-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.s390x"
        },
        "product_reference": "flatpak-zsh-completion-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "flatpak-zsh-completion-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.x86_64"
        },
        "product_reference": "flatpak-zsh-completion-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libflatpak0-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.aarch64"
        },
        "product_reference": "libflatpak0-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libflatpak0-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.ppc64le"
        },
        "product_reference": "libflatpak0-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libflatpak0-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.s390x"
        },
        "product_reference": "libflatpak0-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libflatpak0-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.x86_64"
        },
        "product_reference": "libflatpak0-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "system-user-flatpak-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.aarch64"
        },
        "product_reference": "system-user-flatpak-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "system-user-flatpak-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.ppc64le"
        },
        "product_reference": "system-user-flatpak-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "system-user-flatpak-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.s390x"
        },
        "product_reference": "system-user-flatpak-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "system-user-flatpak-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.x86_64"
        },
        "product_reference": "system-user-flatpak-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64"
        },
        "product_reference": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le"
        },
        "product_reference": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x"
        },
        "product_reference": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64"
        },
        "product_reference": "typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-32462",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32462"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:flatpak-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:flatpak-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:flatpak-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:flatpak-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.x86_64",
          "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64",
          "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le",
          "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x",
          "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32462",
          "url": "https://www.suse.com/security/cve/CVE-2024-32462"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223110 for CVE-2024-32462",
          "url": "https://bugzilla.suse.com/1223110"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-devel-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-remote-flathub-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-selinux-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:flatpak-zsh-completion-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:libflatpak0-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:system-user-flatpak-1.15.8-1.1.x86_64",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.aarch64",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.ppc64le",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.s390x",
            "openSUSE Tumbleweed:typelib-1_0-Flatpak-1_0-1.15.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-32462"
    }
  ]
}

OPENSUSE-SU-2024:13985-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

xdg-desktop-portal-1.18.4-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: xdg-desktop-portal-1.18.4-1.1 on GA media

Description of the patch: These are all security issues fixed in the xdg-desktop-portal-1.18.4-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13985

CVE-2024-32462

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2024-32462/	self
https://www.suse.com/security/cve/CVE-2024-32462	external
https://bugzilla.suse.com/1223110	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "xdg-desktop-portal-1.18.4-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the xdg-desktop-portal-1.18.4-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13985",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13985-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32462 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32462/"
      }
    ],
    "title": "xdg-desktop-portal-1.18.4-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13985-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-1.18.4-1.1.aarch64",
                "product": {
                  "name": "xdg-desktop-portal-1.18.4-1.1.aarch64",
                  "product_id": "xdg-desktop-portal-1.18.4-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-devel-1.18.4-1.1.aarch64",
                "product": {
                  "name": "xdg-desktop-portal-devel-1.18.4-1.1.aarch64",
                  "product_id": "xdg-desktop-portal-devel-1.18.4-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-lang-1.18.4-1.1.aarch64",
                "product": {
                  "name": "xdg-desktop-portal-lang-1.18.4-1.1.aarch64",
                  "product_id": "xdg-desktop-portal-lang-1.18.4-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-1.18.4-1.1.ppc64le",
                "product": {
                  "name": "xdg-desktop-portal-1.18.4-1.1.ppc64le",
                  "product_id": "xdg-desktop-portal-1.18.4-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-devel-1.18.4-1.1.ppc64le",
                "product": {
                  "name": "xdg-desktop-portal-devel-1.18.4-1.1.ppc64le",
                  "product_id": "xdg-desktop-portal-devel-1.18.4-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-lang-1.18.4-1.1.ppc64le",
                "product": {
                  "name": "xdg-desktop-portal-lang-1.18.4-1.1.ppc64le",
                  "product_id": "xdg-desktop-portal-lang-1.18.4-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-1.18.4-1.1.s390x",
                "product": {
                  "name": "xdg-desktop-portal-1.18.4-1.1.s390x",
                  "product_id": "xdg-desktop-portal-1.18.4-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-devel-1.18.4-1.1.s390x",
                "product": {
                  "name": "xdg-desktop-portal-devel-1.18.4-1.1.s390x",
                  "product_id": "xdg-desktop-portal-devel-1.18.4-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-lang-1.18.4-1.1.s390x",
                "product": {
                  "name": "xdg-desktop-portal-lang-1.18.4-1.1.s390x",
                  "product_id": "xdg-desktop-portal-lang-1.18.4-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-1.18.4-1.1.x86_64",
                "product": {
                  "name": "xdg-desktop-portal-1.18.4-1.1.x86_64",
                  "product_id": "xdg-desktop-portal-1.18.4-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-devel-1.18.4-1.1.x86_64",
                "product": {
                  "name": "xdg-desktop-portal-devel-1.18.4-1.1.x86_64",
                  "product_id": "xdg-desktop-portal-devel-1.18.4-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xdg-desktop-portal-lang-1.18.4-1.1.x86_64",
                "product": {
                  "name": "xdg-desktop-portal-lang-1.18.4-1.1.x86_64",
                  "product_id": "xdg-desktop-portal-lang-1.18.4-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-1.18.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.aarch64"
        },
        "product_reference": "xdg-desktop-portal-1.18.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-1.18.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.ppc64le"
        },
        "product_reference": "xdg-desktop-portal-1.18.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-1.18.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.s390x"
        },
        "product_reference": "xdg-desktop-portal-1.18.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-1.18.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.x86_64"
        },
        "product_reference": "xdg-desktop-portal-1.18.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-devel-1.18.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.aarch64"
        },
        "product_reference": "xdg-desktop-portal-devel-1.18.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-devel-1.18.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.ppc64le"
        },
        "product_reference": "xdg-desktop-portal-devel-1.18.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-devel-1.18.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.s390x"
        },
        "product_reference": "xdg-desktop-portal-devel-1.18.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-devel-1.18.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.x86_64"
        },
        "product_reference": "xdg-desktop-portal-devel-1.18.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-lang-1.18.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.aarch64"
        },
        "product_reference": "xdg-desktop-portal-lang-1.18.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-lang-1.18.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.ppc64le"
        },
        "product_reference": "xdg-desktop-portal-lang-1.18.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-lang-1.18.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.s390x"
        },
        "product_reference": "xdg-desktop-portal-lang-1.18.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xdg-desktop-portal-lang-1.18.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.x86_64"
        },
        "product_reference": "xdg-desktop-portal-lang-1.18.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-32462",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32462"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.aarch64",
          "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.ppc64le",
          "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.s390x",
          "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.x86_64",
          "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.aarch64",
          "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.ppc64le",
          "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.s390x",
          "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.x86_64",
          "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.aarch64",
          "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.ppc64le",
          "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.s390x",
          "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32462",
          "url": "https://www.suse.com/security/cve/CVE-2024-32462"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223110 for CVE-2024-32462",
          "url": "https://bugzilla.suse.com/1223110"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.aarch64",
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.ppc64le",
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.s390x",
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.x86_64",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.aarch64",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.ppc64le",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.s390x",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.x86_64",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.aarch64",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.ppc64le",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.s390x",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.aarch64",
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.ppc64le",
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.s390x",
            "openSUSE Tumbleweed:xdg-desktop-portal-1.18.4-1.1.x86_64",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.aarch64",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.ppc64le",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.s390x",
            "openSUSE Tumbleweed:xdg-desktop-portal-devel-1.18.4-1.1.x86_64",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.aarch64",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.ppc64le",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.s390x",
            "openSUSE Tumbleweed:xdg-desktop-portal-lang-1.18.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-32462"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-32462 (GCVE-0-2024-32462)

Solutions

Solutions

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature