UBUNTU-CVE-2023-28101
- Source
- https://ubuntu.com/security/CVE-2023-28101
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28101.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-28101
- Upstream
- Published
- 2023-03-16T16:15:00Z
- Modified
- 2025-09-08T16:56:11Z
- Severity
-
- 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the
flatpak(1)command-line interface by setting other permissions to crafted values that contain non-printable control characters such asESC. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust. - References
-
- https://ubuntu.com/security/CVE-2023-28101
- https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869
- https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c
- https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c
- https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8
- https://www.cve.org/CVERecord?id=CVE-2023-28101
Affected packages
Ubuntu:Pro:18.04:LTS / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/ubuntu/flatpak@1.0.9-0ubuntu0.4?arch=source&distro=esm-apps/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
0.*
0.8.7-5
0.10.0-1
0.10.0-2
0.10.1-1
0.10.2-1
0.10.2.1-1
0.10.2.1-2
0.10.3-1
0.11.1-0ubuntu1
0.11.3-2
0.11.3-3
0.11.7-0ubuntu0.1
1.*
1.0.1-0ubuntu0.1
1.0.6-0ubuntu0.1
1.0.7-0ubuntu0.18.04.1
1.0.8-0ubuntu0.18.04.1
1.0.9-0ubuntu0.1
1.0.9-0ubuntu0.2
1.0.9-0ubuntu0.3
1.0.9-0ubuntu0.4
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.0.9-0ubuntu0.4",
"binary_name": "flatpak"
},
{
"binary_version": "1.0.9-0ubuntu0.4",
"binary_name": "flatpak-tests"
},
{
"binary_version": "1.0.9-0ubuntu0.4",
"binary_name": "gir1.2-flatpak-1.0"
},
{
"binary_version": "1.0.9-0ubuntu0.4",
"binary_name": "libflatpak-dev"
},
{
"binary_version": "1.0.9-0ubuntu0.4",
"binary_name": "libflatpak0"
}
]
}
Ubuntu:Pro:20.04:LTS / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/ubuntu/flatpak@1.6.5-0ubuntu0.5?arch=source&distro=esm-apps/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.4.3-1
1.6.0-1
1.6.1-1
1.6.2-1
1.6.3-1
1.6.5-0ubuntu0.1
1.6.5-0ubuntu0.2
1.6.5-0ubuntu0.3
1.6.5-0ubuntu0.4
1.6.5-0ubuntu0.5
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.6.5-0ubuntu0.5",
"binary_name": "flatpak"
},
{
"binary_version": "1.6.5-0ubuntu0.5",
"binary_name": "flatpak-tests"
},
{
"binary_version": "1.6.5-0ubuntu0.5",
"binary_name": "gir1.2-flatpak-1.0"
},
{
"binary_version": "1.6.5-0ubuntu0.5",
"binary_name": "libflatpak-dev"
},
{
"binary_version": "1.6.5-0ubuntu0.5",
"binary_name": "libflatpak0"
}
]
}
Ubuntu:22.04:LTS / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/ubuntu/flatpak@1.12.7-1ubuntu0.1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.10.2-3
1.12.2-1
1.12.2-2
1.12.3-1
1.12.4-1
1.12.5-1
1.12.6-1
1.12.7-1
1.12.7-1ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.12.7-1ubuntu0.1",
"binary_name": "flatpak"
},
{
"binary_version": "1.12.7-1ubuntu0.1",
"binary_name": "flatpak-tests"
},
{
"binary_version": "1.12.7-1ubuntu0.1",
"binary_name": "gir1.2-flatpak-1.0"
},
{
"binary_version": "1.12.7-1ubuntu0.1",
"binary_name": "libflatpak-dev"
},
{
"binary_version": "1.12.7-1ubuntu0.1",
"binary_name": "libflatpak0"
}
]
}
Ubuntu:24.04:LTS / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/ubuntu/flatpak@1.14.6-1ubuntu0.1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.14.4-2
1.14.5-1
1.14.5-1build1
1.14.5-1build4
1.14.5-1build5
1.14.5-1build6
1.14.6-1
1.14.6-1ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.14.6-1ubuntu0.1",
"binary_name": "flatpak"
},
{
"binary_version": "1.14.6-1ubuntu0.1",
"binary_name": "flatpak-tests"
},
{
"binary_version": "1.14.6-1ubuntu0.1",
"binary_name": "gir1.2-flatpak-1.0"
},
{
"binary_version": "1.14.6-1ubuntu0.1",
"binary_name": "libflatpak-dev"
},
{
"binary_version": "1.14.6-1ubuntu0.1",
"binary_name": "libflatpak0"
}
]
}
Ubuntu:25.04 / flatpak
Package
- Name
- flatpak
- Purl
- pkg:deb/ubuntu/flatpak@1.16.0-2?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.16.0-2",
"binary_name": "flatpak"
},
{
"binary_version": "1.16.0-2",
"binary_name": "flatpak-tests"
},
{
"binary_version": "1.16.0-2",
"binary_name": "gir1.2-flatpak-1.0"
},
{
"binary_version": "1.16.0-2",
"binary_name": "libflatpak-dev"
},
{
"binary_version": "1.16.0-2",
"binary_name": "libflatpak0"
}
]
}