6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.9 High
AI Score
Confidence
High
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:S/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
5.3%
Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4,
and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the
TIOCLINUX
ioctl command instead of TIOCSTI
. If a Flatpak app is run on
a Linux virtual console such as /dev/tty1
, it can copy text from the
virtual console and paste it into the command buffer, from which the
command might be run after the Flatpak app has exited. Ordinary graphical
terminal emulators like xterm, gnome-terminal and Konsole are unaffected.
This vulnerability is specific to the Linux virtual consoles /dev/tty1
,
/dev/tty2
and so on. A patch is available in versions 1.10.8, 1.12.8,
1.14.4, and 1.15.4. As a workaround, don’t run Flatpak on a Linux virtual
console. Flatpak is primarily designed to be used in a Wayland or X11
graphical environment.
github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9
github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
launchpad.net/bugs/cve/CVE-2023-28100
marc.info/?l=oss-security&m=167879021709955&w=2
nvd.nist.gov/vuln/detail/CVE-2023-28100
security-tracker.debian.org/tracker/CVE-2023-28100
www.cve.org/CVERecord?id=CVE-2023-28100
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.9 High
AI Score
Confidence
High
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:S/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
5.3%