PT-2023-9223 · Flatpak+7 · Flatpak+7

Smcv

·

Publicado

2023-03-16

·

Atualizado

2024-06-27

·

CVE-2023-28101

CVSS v3.1

5.0

Média

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.10.8 Flatpak versions prior to 1.12.8 Flatpak versions prior to 1.14.4 Flatpak versions prior to 1.15.4
Description The issue is related to the Flatpak system for building, distributing, and running sandboxed desktop applications on Linux. In affected versions, an attacker can publish a Flatpak app with elevated permissions and hide those permissions from users of the flatpak(1) command-line interface by setting other permissions to crafted values that contain non-printable control characters such as ESC. This could allow a remote attacker to impact the integrity of data.
Recommendations For versions prior to 1.10.8, update to version 1.10.8 or later. For versions prior to 1.12.8, update to version 1.12.8 or later. For versions prior to 1.14.4, update to version 1.14.4 or later. For versions prior to 1.15.4, update to version 1.15.4 or later. As a temporary workaround, consider using a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

Exploit

Correção

Improper Encoding or Escaping of Output

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-116

Identificadores relacionados

ALSA-2023:6518
ALSA-2023:7038
ALT-PU-2023-1477
ALT-PU-2023-1512
BDU:2024-04882
CESA-2023_7038
CVE-2023-28101
GHSA-H43H-FWQX-MPP8
MGASA-2023-0115
OESA-2024-1423
OESA-2024-1424
OESA-2024-1425
OESA-2024-1426
OPENSUSE-SU-2024:12800-1
RHSA-2023:6518
RHSA-2023:7038
RHSA-2023_6518
RHSA-2023_7038
RLSA-2023:6518
ROSA-SA-2024-2337
SUSE-SU-2023:1712-1
SUSE-SU-2023:1713-1
SUSE-SU-2023:1714-1
SUSE-SU-2023:1715-1

Produtos afetados

Alt Linux
Almalinux
Centos
Flatpak
Red Hat
Red Os
Rocky Linux
Suse