CVE-2023-28101: Flatpak metadata with ANSI control codes can cause misleading terminal output

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-28101

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Flatpak metadata with ANSI control codes can cause misleading terminal output

Source: NVD (National Vulnerability Database)

Vulnerability Description

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

对输出编码和转义不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Flatpak 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Flatpak是一套用于Linux桌面应用计算机环境的应用程序虚拟化系统。 Flatpak 1.10.8之前版本、1.12.x版本至1.12.8版本、1.14.x版本至1.14.4版本、1.15.x版本至1.15.4版本存在安全漏洞。攻击者利用该漏洞可以提升权限。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
flatpak	flatpak	< 1.10.8	-

II. Public POCs for CVE-2023-28101

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-28101

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: flatpak

Same vendor: flatpak

Same weakness: CWE-116

V. Comments for CVE-2023-28101

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-28101

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-28101

III. Intelligence Information for CVE-2023-28101

IV. Related Vulnerabilities

V. Comments for CVE-2023-28101

Leave a comment