CVE-2023-49298

Exploit

EPSS 1.16%
Veröffentlicht 24.11.2023 19:15:07
Zuletzt bearbeitet 03.11.2025 20:16:04
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 15

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openzfs ≫ Openzfs Version <= 2.1.13

Freebsd ≫ Freebsd Version14.0 Update-

Openzfs ≫ Openzfs Version2.2.0 Update-

Freebsd ≫ Freebsd Version14.0 Update-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.16%	0.629

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308

Patch

Issue Tracking

https://bugs.gentoo.org/917224

https://github.com/openzfs/zfs/issues/15526

Patch

Vendor Advisory

Exploit

Issue Tracking

https://github.com/openzfs/zfs/pull/15571

Patch

Vendor Advisory

Exploit

https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14

https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2

https://news.ycombinator.com/item?id=38405731

Patch

Third Party Advisory

https://news.ycombinator.com/item?id=38770168

https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files

Third Party Advisory

https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/

https://lists.debian.org/debian-lts-announce/2025/04/msg00009.html

https://nvd.nist.gov/vuln/detail/CVE-2023-49298

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49298

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49298

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-49298