{"id":"CVE-2023-28101","summary":"Flatpak metadata with ANSI control codes can cause misleading terminal output","details":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.","aliases":["GHSA-h43h-fwqx-mpp8"],"modified":"2026-03-20T12:23:32.671112Z","published":"2023-03-16T15:55:53.576Z","related":["ALSA-2023:6518","ALSA-2023:7038","MGASA-2023-0115","SUSE-SU-2023:1712-1","SUSE-SU-2023:1713-1","SUSE-SU-2023:1714-1","SUSE-SU-2023:1715-1","openSUSE-SU-2024:12800-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28101.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-116"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28101.json"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28101"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202312-12"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"0"},{"fixed":"d771946b012db65e901dcc688fc8aff018879abd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.10.8"}]}},{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"0cfd72442dd7301b0699725e25eb0552da3b5e98"},{"fixed":"c87d8b25c60e38e42e997786a6ed4d2376c8bcd8"}],"database_specific":{"versions":[{"introduced":"1.12.0"},{"fixed":"1.12.8"}]}},{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"488038eed44c7edf334d1e28085975d96ce2bdcc"},{"fixed":"8a1edceadfab936953e2ab947b0e7ae5b71e4173"}],"database_specific":{"versions":[{"introduced":"1.14.0"},{"fixed":"1.14.4"}]}},{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"e084a4f14befc27d08094baba8cc8f714d7e417d"},{"fixed":"e936e3100d406c50ba49f3ad6a0ecae455345ec0"}],"database_specific":{"versions":[{"introduced":"1.15.0"},{"fixed":"1.15.4"}]}}],"versions":["0.1","0.10.0","0.10.1","0.10.2","0.11.1","0.11.2","0.11.3","0.11.4","0.11.5","0.11.6","0.11.7","0.11.8","0.11.8.1","0.11.8.2","0.11.8.3","0.2","0.2.1","0.3","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.4.0","0.4.1","0.4.10","0.4.11","0.4.12","0.4.13","0.4.2","0.4.2.1","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.8.0","0.8.1","0.9.1","0.9.10","0.9.11","0.9.12","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","0.9.98","0.9.98.1","0.9.98.2","0.9.99","0.99.1","0.99.2","0.99.3","1.0.0","1.0.1","1.0.2","1.0.3","1.1.0","1.1.1","1.1.2","1.1.3","1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.12.6","1.12.7","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.15.3","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.4.0","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.1","1.7.2","1.7.3","1.8.0","1.9.1","1.9.2","1.9.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28101.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"}]}