CVE-2023-49582

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

L

ax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

References

Link	Resource
https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4	Mailing List
http://www.openwall.com/lists/oss-security/2024/08/26/1
https://security.netapp.com/advisory/ntap-20241101-0004/

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:portable_runtime:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:33

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/08/26/1 - () https://security.netapp.com/advisory/ntap-20241101-0004/ -

27 Aug 2024, 16:04

Type	Values Removed	Values Added
Summary		(es) Los permisos laxos establecidos por la librería Apache Portable Runtime en plataformas Unix permitirían a los usuarios locales acceso de lectura a segmentos de memoria compartida con nombre, lo que podría revelar datos confidenciales de la aplicación. Este problema no afecta a plataformas que no son Unix ni a compilaciones con APR_USE_SHMEM_SHMGET=1 (apr.h). Se recomienda a los usuarios actualizar a la versión 1.7.5 de APR, que soluciona este problema.
First Time		Apache Apache portable Runtime
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4 -~~	() https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4 - Mailing List
CPE		cpe:2.3:a:apache:portable_runtime::::::::

26 Aug 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-26 14:15

Updated : 2025-03-13 15:15

NVD link : CVE-2023-49582

Mitre link : CVE-2023-49582

CVE.ORG link : CVE-2023-49582

JSON object : View

Products Affected

portable_runtime

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2023-49582", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-26T14:15:07.050", "references": [{"url": "https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4", "tags": ["Mailing List"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2024/08/26/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20241101-0004/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. \n\nThis issue does not affect non-Unix platforms, or builds with\u00a0APR_USE_SHMEM_SHMGET=1 (apr.h)\n\nUsers are recommended to upgrade to APR version 1.7.5, which fixes this issue."}, {"lang": "es", "value": "Los permisos laxos establecidos por la librer\u00eda Apache Portable Runtime en plataformas Unix permitir\u00edan a los usuarios locales acceso de lectura a segmentos de memoria compartida con nombre, lo que podr\u00eda revelar datos confidenciales de la aplicaci\u00f3n. Este problema no afecta a plataformas que no son Unix ni a compilaciones con APR_USE_SHMEM_SHMGET=1 (apr.h). Se recomienda a los usuarios actualizar a la versi\u00f3n 1.7.5 de APR, que soluciona este problema."}], "lastModified": "2025-03-13T15:15:39.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:portable_runtime:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD6DB048-3EE7-4014-80B7-B6935B2B5661", "versionEndExcluding": "1.7.5", "versionStartIncluding": "0.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}