Input validation error in Flatpak - CVE-2023-28101
Published: March 20, 2023
Vulnerability identifier: #VU73834
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-28101
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Flatpak
Affected software:
Flatpak
Flatpak
Detailed vulnerability description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when displaying permissions and metadata. A remote attacker can create a specially crafted app that manipulates the appearance of the permissions list through metadata, convincing the user into granting to the app more permissions than agreed by the user.
How to mitigate CVE-2023-28101
Install updates from vendor's website.
Sources
- https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869
- https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c
- https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c
- https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8