CVE-2023-49298

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:openzfs:openzfs:*:*:*:*:*:*:*:*
cpe:2.3:a:openzfs:openzfs:2.2.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*

History

18 Mar 2024, 22:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html -

26 Dec 2023, 15:15

Type Values Removed Values Added
References
  • () https://bugs.gentoo.org/917224 -
  • () https://news.ycombinator.com/item?id=38770168 -

07 Dec 2023, 07:15

Type Values Removed Values Added
References
  • () https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2 -
  • () https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/ -
  • () https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14 -

30 Nov 2023, 20:10

Type Values Removed Values Added
CPE cpe:2.3:a:openzfs:openzfs:2.2.0:-:*:*:*:*:*:*
cpe:2.3:a:openzfs:openzfs:*:*:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*
CWE CWE-639
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Freebsd freebsd
Openzfs openzfs
Freebsd
Openzfs
References () https://news.ycombinator.com/item?id=38405731 - () https://news.ycombinator.com/item?id=38405731 - Patch, Third Party Advisory
References () https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files - () https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files - Third Party Advisory
References () https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 - () https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 - Issue Tracking, Patch
References () https://github.com/openzfs/zfs/issues/15526 - () https://github.com/openzfs/zfs/issues/15526 - Exploit, Issue Tracking, Patch, Vendor Advisory
References () https://github.com/openzfs/zfs/pull/15571 - () https://github.com/openzfs/zfs/pull/15571 - Exploit, Patch, Vendor Advisory

24 Nov 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-24 19:15

Updated : 2024-10-11 21:36


NVD link : CVE-2023-49298

Mitre link : CVE-2023-49298

CVE.ORG link : CVE-2023-49298


JSON object : View

Products Affected

freebsd

  • freebsd

openzfs

  • openzfs
CWE
CWE-639

Authorization Bypass Through User-Controlled Key