Published: 16/03/2023 Updated: 23/12/2023

CVSS v3 Base Score: 6.5 | Impact Score: 4 | Exploitability Score: 2

VMScore: 0

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions before 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.

Vulnerable Product	Search on Vulmon	Subscribe to Product
flatpak flatpak

Debian Bug report logs - #1033099 flatpak: CVE-2023-28100: TIOCLINUX can send commands outside sandbox if running on a virtual console Package: flatpak; Maintainer for flatpak is Utopia Maintenance Team <pkg-utopia-maintainers@listsaliothdebianorg>; Source for flatpak is src:flatpak (PTS, buildd, popcon) Reported by: Simo ...

Synopsis Moderate: flatpak security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for flatpak is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated ...

Synopsis Moderate: flatpak security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for flatpak is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated ...

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux Versions prior to 1108, 1128, 1144, and 1154 contain a vulnerability similar to CVE-2017-5226, but using the TIOCLINUX ioctl command instead of TIOCSTI If a Flatpak app is run on a Linux virtual console such as /dev/tty1, it can copy text f ...

DescriptionThe MITRE CVE dictionary describes this issue as: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux Versions prior to 1108, 1128, 1144, and 1154 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI` If a Flatpak app is run ...

NVD-CWE-noinfo https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 https://marc.info/?l=oss-security&m=167879021709955&w=2 https://security.gentoo.org/glsa/202312-12 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033099 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2023-2134.html

CVE-2023-28100

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect