CVE-2023-2861

Advisory lineage Upstream: 0 Downstream: 14

Downstream

DEBIAN-CVE-2023-2861 DLA-3759-1 MGASA-2024-0047 OPENSUSE-SU-2024:13058-1 SUSE-SU-2023:3015-1 SUSE-SU-2023:3082-1

Modified

Published: 06 Dec 2023, 06:19

Last modified:02 Aug 2024, 06:33

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

v3.1 (nvd)

EPSS Score

0.04% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Dec 2023, 06:19

Published

Vulnerability first disclosed

02 Aug 2024, 06:33

Last Modified

Vulnerability information updated

Description

A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.

CVSS Metrics

v3.1•MEDIUM•Score: 6CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.04%• Percentile: 14%

Techniques & Countermeasures

CWE-284•Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems

qemu•qemu
< 8.1.0