CVE-2023-28101

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28101

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28101.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-28101

Aliases

GHSA-h43h-fwqx-mpp8

Related

Published

2023-03-16T16:15:12Z

Modified

2024-09-18T03:23:30.909945Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the flatpak(1) command-line interface by setting other permissions to crafted values that contain non-printable control characters such as ESC. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

References

Affected packages

Debian:11 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.8-0+deb11u1

Affected versions

1.*

1.10.2-3

1.10.3-0+deb11u1~bpo11+1

1.10.3-0+deb11u1

1.10.5-0+deb11u1~bpo10+1

1.10.5-0+deb11u1

1.10.7-0+deb11u1~bpo10+1

1.10.7-0+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / flatpak

Package

Name: flatpak
Purl: pkg:deb/debian/flatpak?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/flatpak/flatpak

Affected ranges

Type: GIT
Repo: https://github.com/flatpak/flatpak
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

409e34187de2b2b2c4ef34c79f417be698830f6c

Fixed

6cac99dafe6003c8a4bd5666341c217876536869

Fixed

7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c

Affected versions

0.*

0.1

0.10.0

0.10.1

0.10.2

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.11.8.1

0.11.8.2

0.11.8.3

0.2

0.2.1

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.4.0

0.4.1

0.4.10

0.4.11

0.4.12

0.4.13

0.4.2

0.4.2.1

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.8.0

0.8.1

0.9.1

0.9.10

0.9.11

0.9.12

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.98

0.9.98.1

0.9.98.2

0.9.99

0.99.1

0.99.2

0.99.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.1

1.10.2

1.11.1

1.11.2

1.11.3

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.1

1.13.2

1.13.3

1.14.0

1.15.0

1.15.1

1.15.2

1.15.3

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.7.1

1.7.2

1.7.3

1.8.0

1.9.1

1.9.2

1.9.3