PT-2023-9223 · Flatpak+7 · Flatpak+7

Smcv

·

Published

2023-03-16

·

Updated

2024-06-27

·

CVE-2023-28101

CVSS v3.1

5.0

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.10.8 Flatpak versions prior to 1.12.8 Flatpak versions prior to 1.14.4 Flatpak versions prior to 1.15.4
Description The issue is related to the Flatpak system for building, distributing, and running sandboxed desktop applications on Linux. In affected versions, an attacker can publish a Flatpak app with elevated permissions and hide those permissions from users of the flatpak(1) command-line interface by setting other permissions to crafted values that contain non-printable control characters such as ESC. This could allow a remote attacker to impact the integrity of data.
Recommendations For versions prior to 1.10.8, update to version 1.10.8 or later. For versions prior to 1.12.8, update to version 1.12.8 or later. For versions prior to 1.14.4, update to version 1.14.4 or later. For versions prior to 1.15.4, update to version 1.15.4 or later. As a temporary workaround, consider using a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

Exploit

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-116

Related Identifiers

ALSA-2023:6518
ALSA-2023:7038
ALT-PU-2023-1477
ALT-PU-2023-1512
BDU:2024-04882
CESA-2023_7038
CVE-2023-28101
GHSA-H43H-FWQX-MPP8
MGASA-2023-0115
OESA-2024-1423
OESA-2024-1424
OESA-2024-1425
OESA-2024-1426
OPENSUSE-SU-2024:12800-1
RHSA-2023:6518
RHSA-2023:7038
RHSA-2023_6518
RHSA-2023_7038
RLSA-2023:6518
ROSA-SA-2024-2337
SUSE-SU-2023:1712-1
SUSE-SU-2023:1713-1
SUSE-SU-2023:1714-1
SUSE-SU-2023:1715-1

Affected Products

Alt Linux
Almalinux
Centos
Flatpak
Red Hat
Red Os
Rocky Linux
Suse