// For flags

CVE-2023-28101

Flatpak metadata with ANSI control codes can cause misleading terminal output

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. Suppose an attacker publishes a Flatpak app with elevated permissions. In that case, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC.`

Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape. Versions greater than or equal to 1.14.4 are affected.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-03-10 CVE Reserved
  • 2023-03-16 CVE Published
  • 2025-02-25 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-116: Improper Encoding or Escaping of Output
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Flatpak
Search vendor "Flatpak"
 Flatpak
Search vendor "Flatpak" for product "Flatpak"
 < 1.10.8
Search vendor "Flatpak" for product "Flatpak" and version " < 1.10.8"
-
Affected
Flatpak
Search vendor "Flatpak"
 Flatpak
Search vendor "Flatpak" for product "Flatpak"
 >= 1.12.0 < 1.12.8
Search vendor "Flatpak" for product "Flatpak" and version " >= 1.12.0 < 1.12.8"
-
Affected
Flatpak
Search vendor "Flatpak"
 Flatpak
Search vendor "Flatpak" for product "Flatpak"
 >= 1.14.0 < 1.14.4
Search vendor "Flatpak" for product "Flatpak" and version " >= 1.14.0 < 1.14.4"
-
Affected
Flatpak
Search vendor "Flatpak"
 Flatpak
Search vendor "Flatpak" for product "Flatpak"
 >= 1.15.0 < 1.15.4
Search vendor "Flatpak" for product "Flatpak" and version " >= 1.15.0 < 1.15.4"
-
Affected