Unrated severityNVD Advisory· Published Mar 16, 2023· Updated Feb 25, 2025
Flatpak metadata with ANSI control codes can cause misleading terminal output
CVE-2023-28101
Description
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the flatpak(1) command-line interface by setting other permissions to crafted values that contain non-printable control characters such as ESC. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
25- osv-coords23 versionspkg:rpm/almalinux/flatpakpkg:rpm/almalinux/flatpak-develpkg:rpm/almalinux/flatpak-libspkg:rpm/almalinux/flatpak-selinuxpkg:rpm/almalinux/flatpak-session-helperpkg:rpm/opensuse/flatpak&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/flatpak&distro=openSUSE%20Tumbleweedpkg:rpm/suse/flatpak&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/flatpak&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/flatpak&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 1.12.8-1.el9+ 22 more
- (no CPE)range: < 1.12.8-1.el9
- (no CPE)range: < 1.12.8-1.el9
- (no CPE)range: < 1.12.8-1.el9
- (no CPE)range: < 1.12.8-1.el9
- (no CPE)range: < 1.12.8-1.el9
- (no CPE)range: < 1.12.8-150400.3.3.1
- (no CPE)range: < 1.14.4-1.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.2.3-150100.4.11.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.12.8-150400.3.3.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.4.2-3.3.1
- (no CPE)range: < 1.2.3-150100.4.11.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.4.2-3.3.1
- (no CPE)range: < 1.2.3-150100.4.11.1
- (no CPE)range: < 1.10.8-150200.4.15.1
- (no CPE)range: < 1.10.8-150200.4.15.1
Patches
Vulnerability mechanics
References
5- github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6cmitrex_refsource_MISC
- github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869mitrex_refsource_MISC
- github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66cmitrex_refsource_MISC
- github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8mitrex_refsource_CONFIRM
- security.gentoo.org/glsa/202312-12mitre
News mentions
0No linked articles in our index yet.