What is CVE-2023-28100?

CVE-2023-28100 is a vulnerability in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux.

How severe is the CVE-2023-28100 vulnerability?

The severity of CVE-2023-28100 is critical with a CVSS score of 6.5.

Which versions of Flatpak are affected by CVE-2023-28100?

Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 of Flatpak are affected by CVE-2023-28100.

What is the fix for CVE-2023-28100?

To fix CVE-2023-28100, it is recommended to upgrade to Flatpak versions 1.10.8, 1.12.8, 1.14.4, or 1.15.4.

Where can I find more information about CVE-2023-28100?

More information about CVE-2023-28100 can be found at the following references: [link1], [link2], [link3].

Vulnerability/
CVE-2023-28100

critical

CWE

16/3/2023

23/12/2023

CVE-2023-28100: TIOCLINUX can send commands outside sandbox if running on a virtual console

First published: Thu Mar 16 2023(Updated: )

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Flatpak Flatpak	<1.10.8
Flatpak Flatpak	>=1.12.0<1.12.8
Flatpak Flatpak	>=1.14.0<1.14.4
Flatpak Flatpak	>=1.15.0<1.15.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-28100?
CVE-2023-28100 is a vulnerability in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux.
How severe is the CVE-2023-28100 vulnerability?
The severity of CVE-2023-28100 is critical with a CVSS score of 6.5.
Which versions of Flatpak are affected by CVE-2023-28100?
Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 of Flatpak are affected by CVE-2023-28100.
What is the fix for CVE-2023-28100?
To fix CVE-2023-28100, it is recommended to upgrade to Flatpak versions 1.10.8, 1.12.8, 1.14.4, or 1.15.4.
Where can I find more information about CVE-2023-28100?
More information about CVE-2023-28100 can be found at the following references: [link1], [link2], [link3].

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
agent/weakness
collector/mitre-cve
collector/nvd-api
source/NVD
agent/software-canonical-lookup
collector/nvd-index
vendor/flatpak
canonical/flatpak flatpak
version/flatpak flatpak/1.12.0
version/flatpak flatpak/1.14.0
version/flatpak flatpak/1.15.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.