CVE-2024-32462

Summary

CVE-2024-32462 is a vulnerability affecting versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8 of Flatpak, a Linux application system. Malicious or compromised Flatpak apps can exploit this flaw to execute arbitrary code outside their designated sandbox. The issue lies in the `--command` argument of `flatpak run`, which can accept `bwrap` arguments like `--bind`. These arguments can be passed to the `org.freedesktop.portal.Background.RequestBackground` portal interface from within a Flatpak app, leading to a sandbox escape. To mitigate the vulnerability, users should pass the `--` argument to `bwrap` to stop it from processing further options. This solution has been supported since bubblewrap 0.3.0. The vulnerability is patched in Flatpak versions 1.15.8, 1.10.9, 1.12.9, and 1.14.6. Additionally, xdg-desktop-portal version 1.18.4 will restrict Flatpak apps from creating .desktop files for commands that begin with `--`.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.