Rapid7 Vulnerability & Exploit Database

Alpine Linux: CVE-2023-49298: Authorization Bypass Through User-Controlled Key

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Alpine Linux: CVE-2023-49298: Authorization Bypass Through User-Controlled Key

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
Published
11/24/2023
Created
08/23/2024
Added
08/22/2024
Modified
08/23/2024

Description

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.

Solution(s)

  • alpine-linux-upgrade-zfs-lts
  • alpine-linux-upgrade-zfs-rpi
  • alpine-linux-upgrade-zfs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;