ALAS2-2021-1597 --- flatpakID: oval:org.secpod.oval:def:1700555 | Date: (C)2021-02-22 (M)2023-12-26 |
Class: PATCH | Family: unix |
A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability