CVE-2021-43860 : What You Need to Know
Discover the critical CVE-2021-43860 affecting Flatpak before versions 1.12.3 and 1.10.6. Learn the impact, affected systems, exploitation details, and mitigation steps.
This CVE identifier relates to Flatpak, a Linux application sandboxing and distribution framework, affected by a critical vulnerability allowing permissions to be hidden from users at install time.
Understanding CVE-2021-43860
What is CVE-2021-43860?
Flatpak, before versions 1.12.3 and 1.10.6, fails to validate displayed permissions during app installation against actual permissions granted, potentially enabling apps to self-grant hidden permissions without user consent.
The Impact of CVE-2021-43860
Users installing Flatpak apps from untrusted sources are vulnerable to malicious apps exploiting hidden permissions, as disclosed permissions do not match those actually granted.
Technical Details of CVE-2021-43860
Vulnerability Description
The flaw in Flatpak allows apps to manipulate metadata files, concealing permissions from users but enabling unauthorized access at runtime.
Affected Systems and Versions
- Vendor: flatpak
- Product: flatpak
- Versions Affected:
= 1.11.0, < 1.12.3
- < 1.10.6
Exploitation Mechanism
Malicious apps can abuse null byte inclusion in metadata files to hide actual granted permissions from users, potentially escalating privileges without detection.
Mitigation and Prevention
Immediate Steps to Take
- Update Flatpak to versions 1.12.3 or 1.10.6 to patch the vulnerability.
- Manually verify permissions granted to installed apps by inspecting metadata files or the xa.metadata key.
Long-Term Security Practices
- Only install Flatpak apps from trusted sources to minimize exposure to malicious code.
- Regularly monitor official Flatpak releases for security updates.
Patching and Updates
Visit vendor advisory links for official patches and detailed mitigation guidance.