High severity7.8NVD Advisory· Published Jun 21, 2017· Updated May 13, 2026

CVE-2017-9780

Description

In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.

Affected products

Flatpak/Flatpak
cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
Range: <=0.8.6
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.debian.org/865413nvdIssue TrackingPatchThird Party Advisory
github.com/flatpak/flatpak/issues/845nvdIssue TrackingPatchThird Party Advisory
www.debian.org/security/2017/dsa-3895nvdThird Party Advisory
www.securityfocus.com/bid/99346nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000