CVE-2017-9780 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-9780 Interim 1 12 2023-12-08T01:29:02Z current 2021-05-30T13:57:36Z 2023-12-08T01:29:02Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-9780 In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 flatpak flatpak-devel libflatpak0 typelib-1_0-Flatpak-1_0 flatpak as a component of SUSE Linux Enterprise Module for Desktop Applications 15 flatpak-devel as a component of SUSE Linux Enterprise Module for Desktop Applications 15 libflatpak0 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 typelib-1_0-Flatpak-1_0 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root. CVE-2017-9780 SUSE Linux Enterprise Module for Desktop Applications 15:flatpak SUSE Linux Enterprise Module for Desktop Applications 15:flatpak-devel SUSE Linux Enterprise Module for Desktop Applications 15:libflatpak0 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-Flatpak-1_0 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H