Amazon Linux 2 Security Advisory: ALAS-2021-1597
Advisory Release Date: 2021-02-17 00:55 Pacific
Advisory Updated Date: 2021-02-19 22:07 Pacific
A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-21261 )
Run yum update flatpak to update your system.