CVE-2024-32462

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Apr 18, 2024 / Updated: 7mo ago

When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app.

Package updates are available for Alibaba Cloud Linux 2.1903 that fix the following vulnerabilities: CVE-2024-32462: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0.

This security bulletin contains one low risk vulnerability. No. This vulnerability can be exploited locally.

A remote attacker can send a specially crafted DNS response to the application and cause denial of service conditions. A remote attacker can bypass implemented security restrictions based on IP addresses or perform other actions, depending on the application's capabilities.

OpenShift API for Data Protection (OADP) 1.3.3 is now available.Red Hat Product Security has rated this update as having a security impact of Important. OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage.

Nessus Plugin ID 204713 with High Severity Synopsis The remote CentOS Linux host is missing a security update. Description The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:3980 advisory. - Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0.