{"api_version":"1","generated_at":"2026-04-12T00:29:16+00:00","cve":"CVE-2023-28101","urls":{"html":"https://cve.report/CVE-2023-28101","api":"https://cve.report/api/cve/CVE-2023-28101.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-28101","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-28101"},"summary":{"title":"CVE-2023-28101","description":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-03-16 16:15:00","updated_at":"2023-12-23 10:15:00"},"problem_types":["CWE-116"],"metrics":[],"references":[{"url":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c","name":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c","refsource":"MISC","tags":[],"title":"Reject paths given to --filesystem/--persist with special characters · flatpak/flatpak@7fe63f2 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8","name":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8","refsource":"MISC","tags":[],"title":"CVE-2023-28101: Metadata with ANSI control codes can cause misleading terminal output · Advisory · flatpak/flatpak · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c","name":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c","refsource":"MISC","tags":[],"title":"cli-transaction: Escape any special characters in the EOL reason · flatpak/flatpak@409e341 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202312-12","name":"https://security.gentoo.org/glsa/202312-12","refsource":"","tags":[],"title":"Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869","name":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869","refsource":"MISC","tags":[],"title":"Ensure special characters in permissions and metadata are escaped · flatpak/flatpak@6cac99d · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28101","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28101","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"28101","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"flatpak","cpe5":"flatpak","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-28101","qid":"161068","title":"Oracle Enterprise Linux Security Update for flatpak (ELSA-2023-6518)"},{"cve":"CVE-2023-28101","qid":"161150","title":"Oracle Enterprise Linux Security Update for flatpak (ELSA-2023-7038)"},{"cve":"CVE-2023-28101","qid":"181854","title":"Debian Security Update for flatpak (CVE-2023-28101)"},{"cve":"CVE-2023-28101","qid":"242294","title":"Red Hat Update for flatpak security (RHSA-2023:6518)"},{"cve":"CVE-2023-28101","qid":"242423","title":"Red Hat Update for flatpak security (RHSA-2023:7038)"},{"cve":"CVE-2023-28101","qid":"283814","title":"Fedora Security Update for flatpak (FEDORA-2023-b0717d8c45)"},{"cve":"CVE-2023-28101","qid":"283849","title":"Fedora Security Update for flatpak (FEDORA-2023-9fbc701e0d)"},{"cve":"CVE-2023-28101","qid":"284241","title":"Fedora Security Update for flatpak (FEDORA-2023-508e400dec)"},{"cve":"CVE-2023-28101","qid":"710812","title":"Gentoo Linux Flatpak Multiple Vulnerabilities (GLSA 202312-12)"},{"cve":"CVE-2023-28101","qid":"753858","title":"SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2023:1714-1)"},{"cve":"CVE-2023-28101","qid":"753859","title":"SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2023:1713-1)"},{"cve":"CVE-2023-28101","qid":"753883","title":"SUSE Enterprise Linux Security Update for flatpak (SUSE-SU-2023:1712-1)"},{"cve":"CVE-2023-28101","qid":"941369","title":"AlmaLinux Security Update for flatpak (ALSA-2023:6518)"},{"cve":"CVE-2023-28101","qid":"941429","title":"AlmaLinux Security Update for flatpak (ALSA-2023:7038)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-28101","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-116: Improper Encoding or Escaping of Output","cweId":"CWE-116"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"flatpak","product":{"product_data":[{"product_name":"flatpak","version":{"version_data":[{"version_affected":"=","version_value":"< 1.10.8"},{"version_affected":"=","version_value":">= 1.12.0, < 1.12.8"},{"version_affected":"=","version_value":">= 1.14.0, < 1.14.4"},{"version_affected":"=","version_value":">= 1.15.0, < 1.15.4"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8","refsource":"MISC","name":"https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8"},{"url":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c","refsource":"MISC","name":"https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c"},{"url":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869","refsource":"MISC","name":"https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869"},{"url":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c","refsource":"MISC","name":"https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c"}]},"source":{"advisory":"GHSA-h43h-fwqx-mpp8","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-03-16 16:15:00","lastModifiedDate":"2023-12-23 10:15:00","problem_types":["CWE-116"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","versionStartIncluding":"1.15.0","versionEndExcluding":"1.15.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","versionStartIncluding":"1.14.0","versionEndExcluding":"1.14.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","versionStartIncluding":"1.12.0","versionEndExcluding":"1.12.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*","versionEndExcluding":"1.10.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}