CVE-2023-28101

Flatpak metadata with ANSI control codes can cause misleading terminal output

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. Suppose an attacker publishes a Flatpak app with elevated permissions. In that case, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC.`

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-10 CVE Reserved
2023-03-16 CVE Published
2024-06-20 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-116: Improper Encoding or Escaping of Output

CAPEC

References (7)

URL	Tag	Source
https://security.gentoo.org/glsa/202312-12

URL	Date	SRC

URL	Date	SRC
https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c	2023-12-23
https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869	2023-12-23
https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c	2023-12-23
https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8	2023-12-23

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-28101	2023-11-14
https://bugzilla.redhat.com/show_bug.cgi?id=2179219	2023-11-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Flatpak Search vendor "Flatpak"		Flatpak Search vendor "Flatpak" for product "Flatpak"				< 1.10.8 Search vendor "Flatpak" for product "Flatpak" and version " < 1.10.8"		-		Affected
Flatpak Search vendor "Flatpak"		Flatpak Search vendor "Flatpak" for product "Flatpak"				>= 1.12.0 < 1.12.8 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.12.0 < 1.12.8"		-		Affected
Flatpak Search vendor "Flatpak"		Flatpak Search vendor "Flatpak" for product "Flatpak"				>= 1.14.0 < 1.14.4 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.14.0 < 1.14.4"		-		Affected
Flatpak Search vendor "Flatpak"		Flatpak Search vendor "Flatpak" for product "Flatpak"				>= 1.15.0 < 1.15.4 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.15.0 < 1.15.4"		-		Affected