ghsa-mvg7-8xh2-47rf
Vulnerability from github
Published
2023-11-24 21:30
Modified
2024-03-19 00:33
Severity ?
Details
OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
{
"affected": [],
"aliases": [
"CVE-2023-49298"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-24T19:15:07Z",
"severity": "HIGH"
},
"details": "OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.",
"id": "GHSA-mvg7-8xh2-47rf",
"modified": "2024-03-19T00:33:48Z",
"published": "2023-11-24T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49298"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/issues/15526"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/pull/15571"
},
{
"type": "WEB",
"url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/917224"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14"
},
{
"type": "WEB",
"url": "https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38405731"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38770168"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files"
},
{
"type": "WEB",
"url": "https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.