Vulnerability CVE-2023-2861: Information

Description

A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.

Severity: HIGH (7.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-2861
Published: Dec. 6, 2023
Modified: March 11, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
qemusisyphus8.0.3-alt18.2.3-alt1ALT-PU-2023-4715-1325821Fixed
qemusisyphus_riscv648.0.3-alt0.1.rv648.0.3-alt0.1.rv64ALT-PU-2023-4832-1-Fixed
qemup108.0.4-alt1.p108.2.2-alt0.p10.1ALT-PU-2023-5241-3328289Fixed
qemuc10f18.0.4-alt1.p108.2.2-alt0.p10.1ALT-PU-2023-7183-2334310Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/security/cve/CVE-2023-2861
  • Vendor Advisory
RHBZ#2219266
  • Issue Tracking
  • Patch
https://security.netapp.com/advisory/ntap-20240125-0005/
    https://security.netapp.com/advisory/ntap-20240229-0002/
      https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html

          1. Configuration 1

            cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
            End excliding
            8.1.0
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.1
        Back to top