#VU73834 Input validation error in Flatpak - CVE-2023-28101
Published: March 20, 2023
Vulnerability identifier: #VU73834
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-28101
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flatpak
Flatpak
Software vendor:
Flatpak
Flatpak
Description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when displaying permissions and metadata. A remote attacker can create a specially crafted app that manipulates the appearance of the permissions list through metadata, convincing the user into granting to the app more permissions than agreed by the user.
Remediation
Install updates from vendor's website.
External links
- https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869
- https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c
- https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c
- https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8