CVE-2023-28101

CWE-1165 documents5 sources
Severity
4.3MEDIUM
EPSS
0.3%
top 43.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Flatpak Flatpak
Timeline
PublishedMar 16

Description

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages3 packages

CVEListV5flatpak/flatpak< 1.10.8+3
NVDflatpak/flatpak1.12.01.12.8+3
Debianflatpak< 1.10.8-0+deb11u1+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
CVE-2023-28101: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux2023-03-16
CVEList
Flatpak metadata with ANSI control codes can cause misleading terminal output2023-03-16

📋Vendor Advisories

2
Red Hat
flatpak: Metadata with ANSI control codes can cause misleading terminal output2023-03-16
Debian
CVE-2023-28101: flatpak - Flatpak is a system for building, distributing, and running sandboxed desktop ap...2023
CVE-2023-28101 (MEDIUM CVSS 4.3) | Flatpak is a system for building | cvebase.io