Improper Encoding or Escaping of Output

CVE-2023-28101

Medium

4.3/10

Summary

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Versions through 1.10.7, 1.11.1 through 1.12.7-1, 1.13.1 through 1.14.3-1, and 1.15.0 through 1.15.3, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the "flatpak(1)" command-line interface by setting other permissions to crafted values that contain non-printable control characters such as "ESC". As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

Advisory Timeline

Published Mar 16, 2023

Improper Encoding or Escaping of Output

CVE-2023-28101

Summary

CWE-116 - Improper Encoding or Escaping of Output

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS