CVE-2023-28101
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-28101
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28101.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-28101
- Downstream
- Related
- Published
- 2023-03-16T16:15:12Z
- Modified
- 2025-09-16T07:30:21.785829Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the
flatpak(1)command-line interface by setting other permissions to crafted values that contain non-printable control characters such asESC. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust. - References
-
- https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8
- https://security.gentoo.org/glsa/202312-12
- https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c
- https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869
- https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c
Affected packages
Debian:11 / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/debian/flatpak?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.8-0+deb11u1
Debian:12 / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/debian/flatpak?arch=source
Debian:13 / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/debian/flatpak?arch=source
Debian:14 / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/debian/flatpak?arch=source
Git / github.com/flatpak/flatpak
Affected ranges
- Type
- GIT
- Repo
- https://github.com/flatpak/flatpak
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
0.*
0.1
0.10.0
0.10.1
0.10.2
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.8.1
0.11.8.2
0.11.8.3
0.2
0.2.1
0.3
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.1
0.4.10
0.4.11
0.4.12
0.4.13
0.4.2
0.4.2.1
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.8.0
0.8.1
0.9.1
0.9.10
0.9.11
0.9.12
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.98
0.9.98.1
0.9.98.2
0.9.99
0.99.1
0.99.2
0.99.3
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.10.0
1.10.1
1.10.2
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.1
1.13.2
1.13.3
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.1
1.7.2
1.7.3
1.8.0
1.9.1
1.9.2
1.9.3
Database specific
{
"vanir_signatures": [
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "app/flatpak-builtins-remote-info.c",
"function": "flatpak_builtin_remote_info"
},
"digest": {
"length": 9106.0,
"function_hash": "98317496632033256661265466576315244652"
},
"id": "CVE-2023-28101-0559cceb"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "app/flatpak-cli-transaction.c"
},
"digest": {
"line_hashes": [
"200143383743434215888140092484954245204",
"134932841088178489408933855620621665259",
"42785232946839303943013070254508492448",
"248639240058941373838326857414859667836",
"210425379657882896508271818658722913172",
"206363753943954980768143191509206221554",
"226682960788814335396394996060500011191",
"167760726112222336177763253156143174830",
"108562966186620884911491227169479057506",
"194865340689831604041163166630392209980",
"335178801186303280760619562183931054515",
"150265430655286296888016861522072723251",
"200632762604652717435898801275610740621",
"218786253908557703664082462886103426230",
"9951918842360841040566303947350854037"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-09726794"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "app/flatpak-cli-transaction.c",
"function": "print_perm_line"
},
"digest": {
"length": 662.0,
"function_hash": "266421281594058816605670517089742814187"
},
"id": "CVE-2023-28101-0c041f28"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/test-context.c",
"function": "main"
},
"digest": {
"length": 279.0,
"function_hash": "83676187195856663889486154663099212764"
},
"id": "CVE-2023-28101-17e07c7f"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/testcommon.c"
},
"digest": {
"line_hashes": [
"113988872953227167942243030915917190850",
"290495882821496963461465407575215262887",
"75903582964128321867015124005014172326",
"141204140000216890584395740226975394682",
"138320897864461254577461857491011394230",
"223673362181811682937630103248139624752",
"89174099595981587270390036903751379174"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-1e87f182"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-context.c",
"function": "option_persist_cb"
},
"digest": {
"length": 166.0,
"function_hash": "299445439862710065703798122770541017546"
},
"id": "CVE-2023-28101-27566372"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/test-context.c",
"function": "context_parse_args"
},
"digest": {
"length": 693.0,
"function_hash": "280107902565179321738268186621263119712"
},
"id": "CVE-2023-28101-2963ac48"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-context.c",
"function": "flatpak_context_set_persistent"
},
"digest": {
"length": 138.0,
"function_hash": "328637800992681520498540365503623621945"
},
"id": "CVE-2023-28101-3b2393ac"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/test-context.c"
},
"digest": {
"line_hashes": [
"155006999785824134465836086941146246122",
"199216186366817016312282548742431431923",
"26786200255410249400519413059853037750",
"146612480660437975378919373899987630090",
"102627059651289281008000368376081136699",
"24996951004819029998285516593383623564",
"124528288861149549148184135872108106213",
"46531957334213852234387953248240339258",
"134334702497063395505584876697084558245",
"111034971607489099003421789998728574482",
"86562878490339678706722542208603871234",
"307385942581636851421760390395396659153",
"33106447819374978664626043718650599010",
"300983387954169487505640063878261034897",
"46203858665496266975471184410495694144",
"112121388898861620009761147429095215031",
"338560913389850219977744903925697133503",
"245589890791922340415836555648611261664",
"208956313643911904864737270395873199426",
"198377457515869835579301983627128918752",
"249889814782555155735405865314963997594",
"32397611929248427871104078651828590451",
"132065110543975706805073312703532217115",
"101047239045142556502776769591718578833",
"111781982016334373641413908461224140123",
"56657036309970062812178597638707031211",
"130342666089229702679537533707578224202",
"128309006630560367280046563551671562437",
"323907344336077536382894438979377975772",
"26826666898084996324192466855047405931",
"312065476697201767230344435086277118850",
"18967939102208227780501671292661701773",
"250865224021642523294628153110891748589",
"188084228353937304311246201588205198996",
"137624201276753641183940008356400110141",
"72364044082136007161547199456172306745",
"147289943560436918488872815381688028291",
"101047239045142556502776769591718578833",
"61266481079021092688385580775072530184",
"14330446159871907499208434856943559234",
"131943292556892063053578707027060707162",
"307820990542766752611163919528286280032",
"33832364426070795336816975800923939367",
"189725311405950860973597897319376717822",
"117410523881418445026915498833364881282",
"280526953587961471821706679115229231374",
"295952040306705956788748109527531926603",
"42820485387733432793837105587693447580",
"234474700117994839630402101976252883331",
"180019273479703400327610921341142353367",
"298542725695441250736643961544169714700",
"52064808199443126612205387713984038203",
"137624201276753641183940008356400110141",
"96049480965728502679020548527734547551",
"290495882821496963461465407575215262887",
"75903582964128321867015124005014172326",
"294734521766932499456577558080850281396",
"167176539807387984190705595696665399802",
"251726288669511310650134067372756551830"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-51b922b8"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/test-context.c",
"function": "test_context_merge_fs"
},
"digest": {
"length": 12255.0,
"function_hash": "43381582198122235250446057530806491682"
},
"id": "CVE-2023-28101-535bd607"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "app/flatpak-builtins-info.c",
"function": "flatpak_builtin_info"
},
"digest": {
"length": 11231.0,
"function_hash": "137944268882017690942745013940790610603"
},
"id": "CVE-2023-28101-6f6c7a7b"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-utils.c"
},
"digest": {
"line_hashes": [
"237696741305838361088680568327819653304",
"161798019321744983468800977967882591789",
"236712826495496594431646212172445364354",
"157558373179105931605763426943124236868",
"60816415688850931622812041059030826818",
"289110087549291919659388658813845855448"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-834165df"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "app/flatpak-builtins-remote-info.c"
},
"digest": {
"line_hashes": [
"202013176872676480371517077821903209601",
"166994284923334409771111731050049447478",
"286240022271065064078405686327225992209",
"158300289980843770976571713592809011413"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-8a3e91bd"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-context.c",
"function": "flatpak_context_load_metadata"
},
"digest": {
"length": 5961.0,
"function_hash": "318508615663837988527364667916447370965"
},
"id": "CVE-2023-28101-9630d00f"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-context.c"
},
"digest": {
"line_hashes": [
"129999369140102921964759090927242249824",
"291134275429007838480502753107913670452",
"264754176911979665919322520327293988642",
"252130524096340217686655510176182853058",
"279609152502309633174947465894087452027",
"173233427893047199659899282216479685671",
"107795034814368349545815063545123276849",
"176120331439528995198689408701324050930",
"120005027179772936587722868544178224371",
"78789557279554497779766121401221108564",
"298733854343567872246092693839980975094",
"109432795576425244661604864506429726539",
"246512386412446147543951116607937494864",
"10302597441242161746071581548093551637",
"12949186262015582943865350351776360275",
"102958536349596809893432498269702819527",
"61090625042257944229028891038229136959",
"177714787697755184096606259077861710546",
"180825086710712822647244647612556046535",
"150883376783066570902663466896567295497",
"173217620172042256840204721299836471128",
"188379271139370714276254534481595998724",
"167894273508428465497154446566734013382",
"242873971394863410097636916663848170143",
"268137819152734727495408514058601046684",
"176993032295224202961433002511664614359",
"148139418378158113409565364938271306726",
"100481643610430598741679232793798197197"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-c122d418"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "app/flatpak-builtins-info.c"
},
"digest": {
"line_hashes": [
"311469946640281926913961058450371733907",
"82934720962789425100501155773148218215",
"176873334764744699133819791343830260026",
"30987434378147041835384680539253781427",
"328306979275333333485549866395607942100",
"36618225112401896829657736006603253787",
"75391581919271091796729810393028596848",
"191034069448169945130393815399452176894"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-d1fcaa0a"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/testcommon.c",
"function": "main"
},
"digest": {
"length": 2126.0,
"function_hash": "180580487374897914715716768846950067956"
},
"id": "CVE-2023-28101-d59332d0"
},
{
"source": "https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-context.c",
"function": "flatpak_context_parse_filesystem"
},
"digest": {
"length": 1921.0,
"function_hash": "56989686088136025610324046738637128030"
},
"id": "CVE-2023-28101-e5e4dbd8"
},
{
"source": "https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "common/flatpak-utils-private.h"
},
"digest": {
"line_hashes": [
"236813703849462761127334756799909730225",
"272949934507000678808039295561168714083"
],
"threshold": 0.9
},
"id": "CVE-2023-28101-f7419c5f"
}
]
}