CVE-2023-1386

EPSS 0.02%
Veröffentlicht 24.07.2023 16:15:11
Zuletzt bearbeitet 21.11.2024 07:39:05
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qemu ≫ Qemu

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.022

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
secalert@redhat.com	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

https://access.redhat.com/security/cve/CVE-2023-1386

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2223985

Third Party Advisory

Issue Tracking

https://github.com/advisories/GHSA-ppj8-867g-rgjr

https://github.com/v9fs/linux/issues/29

https://security.netapp.com/advisory/ntap-20230831-0005/

https://nvd.nist.gov/vuln/detail/CVE-2023-1386

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-1386

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-1386

EUVD