CVE-2023-28100 - OpenCVE

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Flatpak	Flatpak

Configuration 1 [-]

OR	cpe:2.3:a:flatpak:flatpak::::::::
	cpe:2.3:a:flatpak:flatpak::::::::
	cpe:2.3:a:flatpak:flatpak::::::::
	cpe:2.3:a:flatpak:flatpak::::::::

References

Link	Resource
https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9	Patch
https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp	Patch Vendor Advisory
https://marc.info/?l=oss-security&m=167879021709955&w=2	Mailing List
https://security.gentoo.org/glsa/202312-12

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-16T15:51:32.037Z

Updated: 2023-03-16T15:51:32.037Z

Reserved: 2023-03-10T18:34:29.226Z

Link: CVE-2023-28100

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-16T16:15:12.553

Modified: 2023-12-23T10:15:09.703

Link: CVE-2023-28100

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-28100", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-10T18:34:29.226Z", "datePublished": "2023-03-16T15:51:32.037Z", "dateUpdated": "2023-03-16T15:51:32.037Z"}, "containers": {"cna": {"title": "TIOCLINUX can send commands outside sandbox if running on a virtual console", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp"}, {"name": "https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9", "tags": ["x_refsource_MISC"], "url": "https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9"}, {"name": "https://marc.info/?l=oss-security&m=167879021709955&w=2", "tags": ["x_refsource_MISC"], "url": "https://marc.info/?l=oss-security&m=167879021709955&w=2"}, {"url": "https://security.gentoo.org/glsa/202312-12"}], "affected": [{"vendor": "flatpak", "product": "flatpak", "versions": [{"version": "< 1.10.8", "status": "affected"}, {"version": ">= 1.12.0, < 1.12.8", "status": "affected"}, {"version": ">= 1.14.0, < 1.14.4", "status": "affected"}, {"version": ">= 1.15.0, < 1.15.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-16T15:51:32.037Z"}, "descriptions": [{"lang": "en", "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment."}], "source": {"advisory": "GHSA-7qpw-3vjv-xrqp", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7C3C072-DE21-4063-A561-44CA1E5AE584", "versionEndExcluding": "1.10.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "3572AF68-883F-44B3-95F8-5062ED29D5F9", "versionEndExcluding": "1.12.8", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "50573059-1A6E-40DA-9D68-9D054DCC71BE", "versionEndExcluding": "1.14.4", "versionStartIncluding": "1.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*", "matchCriteriaId": "02CAAC00-232B-45A2-86ED-1EE9DC1F0128", "versionEndExcluding": "1.15.4", "versionStartIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment."}], "id": "CVE-2023-28100", "lastModified": "2023-12-23T10:15:09.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-03-16T16:15:12.553", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "https://marc.info/?l=oss-security&m=167879021709955&w=2"}, {"source": "security-advisories@github.com", "url": "https://security.gentoo.org/glsa/202312-12"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}