Main Vulnerability Database Vulnerabilities #VU73835

#VU73835 Input validation error in Flatpak - CVE-2023-28100

Published: March 20, 2023

Vulnerability identifier: #VU73835

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-28100

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Flatpak

Software vendor:
Flatpak

Description

The vulnerability allows a malicious application to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling copy/paste operations. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited.

Remediation

Install updates from vendor's website.

External links

https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9
https://marc.info/?l=oss-security&m=167879021709955&w=2

#VU73835 Input validation error in Flatpak - CVE-2023-28100

Description

Remediation

External links

Please verify you're human