flatpak since 0.9.4 has a bug in the "file forwarding" feature, which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. References: https://github.com/flatpak/flatpak/issues/4146
Created flatpak tracking bugs for this issue: Affects: fedora-all [bug 1936986]
External References: https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqpp
Mitigation: Avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop files in exports/share/applications/*.desktop (typically ~/.local/share/flatpak/exports/share/applications/*.desktop and /var/lib/flatpak/exports/share/applications/*.desktop) to make sure that literal filenames do not follow @@ or @@u.
Statement: This is essentially a sandbox escape flaw and needs a malicious app publisher to execute the exploit.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:1002 https://access.redhat.com/errata/RHSA-2021:1002
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21381
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1068 https://access.redhat.com/errata/RHSA-2021:1068
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:1074 https://access.redhat.com/errata/RHSA-2021:1074
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:1073 https://access.redhat.com/errata/RHSA-2021:1073