FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-42472

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Aug 15, 2024 / Updated: 3mo ago

010
CVSS 10EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Flatpak, a Linux application sandboxing and distribution framework, has a vulnerability in versions prior to 1.14.0 and 1.15.10. A malicious or compromised Flatpak app using persistent directories could access and write files outside of its intended access scope, compromising integrity and confidentiality. The issue occurs when 'persistent=subdir' is used in application permissions, allowing an app to potentially replace the source directory for the persistent/--persist option with a symlink. This could lead to the bind mount following the symlink and mounting unintended content into the sandbox on the next application start.

Impact

This vulnerability could allow a malicious Flatpak app to: 1. Access and modify files outside its intended sandbox, potentially compromising user data. 2. Escalate privileges by manipulating symlinks to access sensitive system files. 3. Bypass security controls, leading to potential system-wide compromise. 4. In a worst-case scenario, achieve arbitrary code execution on the host system. The high severity estimate suggests this could have significant consequences for system security and user privacy, especially in multi-user or shared environments.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available to address this vulnerability: 1. For Flatpak 1.14.x stable branch: Update to version 1.14.10 2. For Flatpak 1.15.x development branch: Update to version 1.15.10 3. For systems using a system-wide bubblewrap (/usr/bin/bwrap), it needs to be updated separately. 4. If using the bundled version of bubblewrap (/usr/libexec/flatpak-bwrap), it will be updated with the Flatpak update. Note: Flatpak versions 1.12.x and 1.10.x will not receive updates for this vulnerability.

Mitigation

1. Update Flatpak to the patched versions (1.14.10 for stable, 1.15.10 for development) as soon as possible. 2. Ensure the system's bubblewrap is also updated if your Flatpak installation uses it. 3. For systems that cannot be immediately updated, avoid using applications with the 'persistent' (--persist) permission. 4. Monitor for any suspicious activity from Flatpak applications, especially those with persistent storage permissions. 5. Consider temporarily disabling or restricting Flatpak applications in critical environments until patching is complete. 6. For long-term support OS distributions, work with the distribution maintainers to ensure proper backporting of the fixes.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-42472. See article

Aug 14, 2024 at 5:34 PM / Open Source Security
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 14, 2024 at 5:35 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 15, 2024 at 11:22 AM
Threat Intelligence Report

The vulnerability CVE-2024-42472 has a critical CVSS Base Score of 10.0, indicating its severity. It is currently being exploited in the wild by threat actors, with proof-of-concept exploits available. Mitigations, detections, and patches are not yet available, leading to potential downstream impacts on other third-party vendors or technologies. See article

Aug 22, 2024 at 5:16 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (756987)

Sep 2, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (206446)

Sep 3, 2024 at 11:15 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2024:6357).

Sep 4, 2024 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2024:6422).

Sep 5, 2024 at 8:00 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207277)

Sep 15, 2024 at 1:16 PM
Static CVE Timeline Graph

Affected Systems

Flatpak/flatpak
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2024
Oracle Linux Bulletins / 35d
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :

References

Weekly Intelligence Report - 23 Aug 2024
CYFIRMA Press Releases / 2mo
Given the historical behavior of Phobos, which has consistently targeted industries like Manufacturing, Finance, FMCG and others due to their data sensitivity and financial capacity to pay significant ransoms, there is medium confidence that Blue ransomware will continue this trend. Based on the available information, CYFIRMA’s assessment suggests that Blue ransomware, a variant of the Phobos family, is likely to target economically developed regions such as the US, UK, Southeast Asia, Europe, and others, aiming to maximize ransom demands.
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 33 - SANS Institute
Google Alert - security-vulnerability OR cyber-vulnerability OR software-vulnerability OR hardware-vulnerability OR systems-vulnerability / 2mo
Product: Fabianros Job Portal CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7811 - SourceCodester Daily Expenses Monitoring App 1.0 is vulnerable to SQL injection in the /endpoint/delete-expense.php file, allowing for remote attacks due to the manipulation of the expense argument. Product: Wurmlab SequenceServer CVSS Score: 9.8 AtRiskScore 30 NVD: NVD References: - - CVE-2024-7794 - Itsoucecode Vehicle Management System 1.0 is vulnerable to a critical SQL injection flaw in the mybill.php file, allowing for remote attacks.

News

RockyLinux 9 : bubblewrap and flatpak (RLSA-2024:9449)
Newest Nessus Plugins from Tenable / 4h
Nessus Plugin ID 211592 with Critical Severity Synopsis The remote RockyLinux host is missing a security update. Description The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:9449 advisory. * flatpak: Access to files outside sandbox for apps using persistent= (--persist) (CVE-2024-42472) Tenable has extracted the preceding description block directly from the RockyLinux security advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/211592
Oracle Linux 9 : bubblewrap / and / flatpak (ELSA-2024-9449)
Newest Nessus Plugins from Tenable / 7h
The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-9449 advisory. The remote Oracle Linux host is missing a security update.
Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.3
Security feed from CyberSecurity Help / 21h
A remote attacker on the local network can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system. A remote attacker on the local network can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
KRB5, Python, Libvirt, and more updates for AlmaLinux
Linux Compatible / 22h
The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM.The packages also provide APIs for managing and interacting with the virtualized systems. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-9452.html
RHSA-2024:9960: Important: OpenShift API for Data Protection (OADP) 1.3.4 security and bug fix update
Red Hat security updates / 1d
OpenShift API for Data Protection (OADP) 1.3.4 is now available.Red Hat Product Security has rated this update as having a security impact of Important. OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage.
See 123 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

CVSS 10(27010)CWE-74(1406)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial