{"id":"ALPINE-CVE-2023-49298","details":"OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.","modified":"2025-12-03T23:04:35.637318Z","published":"2023-11-24T19:15:07.587Z","upstream":["CVE-2023-49298"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2023-49298"}],"affected":[{"package":{"name":"zfs","ecosystem":"Alpine:v3.19","purl":"pkg:apk/alpine/zfs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"versions":["0.6.5.7-r0","0.6.5.7-r1","0.6.5.8-r0","0.6.5.9-r0","0.6.5.9-r1","0.7.1-r0","0.7.12-r0","0.7.12-r1","0.7.13-r0","0.7.3-r0","0.7.7-r0","0.7.8-r0","0.8.0-r0","0.8.0-r1","0.8.1-r0","0.8.2-r0","0.8.2-r1","0.8.3-r0","0.8.3-r1","0.8.4-r0","0.8.5-r0","0.8.5-r1","2.0.0-r0","2.0.1-r0","2.0.3-r0","2.0.3-r1","2.0.3-r2","2.0.3-r3","2.1.1-r0","2.1.1-r1","2.1.10-r0","2.1.10-r1","2.1.10-r2","2.1.11-r0","2.1.11-r1","2.1.12-r0","2.1.13-r0","2.1.13-r1","2.1.2-r0","2.1.4-r0","2.1.4-r1","2.1.4-r2","2.1.5-r0","2.1.5-r1","2.1.6-r0","2.1.6-r1","2.1.7-r0","2.1.8-r0","2.1.9-r0","2.1.9-r1","2.2.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs","ecosystem":"Alpine:v3.20","purl":"pkg:apk/alpine/zfs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"versions":["0.6.5.7-r0","0.6.5.7-r1","0.6.5.8-r0","0.6.5.9-r0","0.6.5.9-r1","0.7.1-r0","0.7.12-r0","0.7.12-r1","0.7.13-r0","0.7.3-r0","0.7.7-r0","0.7.8-r0","0.8.0-r0","0.8.0-r1","0.8.1-r0","0.8.2-r0","0.8.2-r1","0.8.3-r0","0.8.3-r1","0.8.4-r0","0.8.5-r0","0.8.5-r1","2.0.0-r0","2.0.1-r0","2.0.3-r0","2.0.3-r1","2.0.3-r2","2.0.3-r3","2.1.1-r0","2.1.1-r1","2.1.10-r0","2.1.10-r1","2.1.10-r2","2.1.11-r0","2.1.11-r1","2.1.12-r0","2.1.13-r0","2.1.13-r1","2.1.2-r0","2.1.4-r0","2.1.4-r1","2.1.4-r2","2.1.5-r0","2.1.5-r1","2.1.6-r0","2.1.6-r1","2.1.7-r0","2.1.8-r0","2.1.9-r0","2.1.9-r1","2.2.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/zfs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"versions":["0.6.5.7-r0","0.6.5.7-r1","0.6.5.8-r0","0.6.5.9-r0","0.6.5.9-r1","0.7.1-r0","0.7.12-r0","0.7.12-r1","0.7.13-r0","0.7.3-r0","0.7.7-r0","0.7.8-r0","0.8.0-r0","0.8.0-r1","0.8.1-r0","0.8.2-r0","0.8.2-r1","0.8.3-r0","0.8.3-r1","0.8.4-r0","0.8.5-r0","0.8.5-r1","2.0.0-r0","2.0.1-r0","2.0.3-r0","2.0.3-r1","2.0.3-r2","2.0.3-r3","2.1.1-r0","2.1.1-r1","2.1.10-r0","2.1.10-r1","2.1.10-r2","2.1.11-r0","2.1.11-r1","2.1.12-r0","2.1.13-r0","2.1.13-r1","2.1.2-r0","2.1.4-r0","2.1.4-r1","2.1.4-r2","2.1.5-r0","2.1.5-r1","2.1.6-r0","2.1.6-r1","2.1.7-r0","2.1.8-r0","2.1.9-r0","2.1.9-r1","2.2.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/zfs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"versions":["0.6.5.7-r0","0.6.5.7-r1","0.6.5.8-r0","0.6.5.9-r0","0.6.5.9-r1","0.7.1-r0","0.7.12-r0","0.7.12-r1","0.7.13-r0","0.7.3-r0","0.7.7-r0","0.7.8-r0","0.8.0-r0","0.8.0-r1","0.8.1-r0","0.8.2-r0","0.8.2-r1","0.8.3-r0","0.8.3-r1","0.8.4-r0","0.8.5-r0","0.8.5-r1","2.0.0-r0","2.0.1-r0","2.0.3-r0","2.0.3-r1","2.0.3-r2","2.0.3-r3","2.1.1-r0","2.1.1-r1","2.1.10-r0","2.1.10-r1","2.1.10-r2","2.1.11-r0","2.1.11-r1","2.1.12-r0","2.1.13-r0","2.1.13-r1","2.1.2-r0","2.1.4-r0","2.1.4-r1","2.1.4-r2","2.1.5-r0","2.1.5-r1","2.1.6-r0","2.1.6-r1","2.1.7-r0","2.1.8-r0","2.1.9-r0","2.1.9-r1","2.2.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/zfs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"versions":["0.6.5.7-r0","0.6.5.7-r1","0.6.5.8-r0","0.6.5.9-r0","0.6.5.9-r1","0.7.1-r0","0.7.12-r0","0.7.12-r1","0.7.13-r0","0.7.3-r0","0.7.7-r0","0.7.8-r0","0.8.0-r0","0.8.0-r1","0.8.1-r0","0.8.2-r0","0.8.2-r1","0.8.3-r0","0.8.3-r1","0.8.4-r0","0.8.5-r0","0.8.5-r1","2.0.0-r0","2.0.1-r0","2.0.3-r0","2.0.3-r1","2.0.3-r2","2.0.3-r3","2.1.1-r0","2.1.1-r1","2.1.10-r0","2.1.10-r1","2.1.10-r2","2.1.11-r0","2.1.11-r1","2.1.12-r0","2.1.13-r0","2.1.13-r1","2.1.2-r0","2.1.4-r0","2.1.4-r1","2.1.4-r2","2.1.5-r0","2.1.5-r1","2.1.6-r0","2.1.6-r1","2.1.7-r0","2.1.8-r0","2.1.9-r0","2.1.9-r1","2.2.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-lts","ecosystem":"Alpine:v3.19","purl":"pkg:apk/alpine/zfs-lts?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-lts","ecosystem":"Alpine:v3.20","purl":"pkg:apk/alpine/zfs-lts?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-lts","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/zfs-lts?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-lts","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/zfs-lts?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-lts","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/zfs-lts?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-rpi","ecosystem":"Alpine:v3.19","purl":"pkg:apk/alpine/zfs-rpi?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-rpi","ecosystem":"Alpine:v3.20","purl":"pkg:apk/alpine/zfs-rpi?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-rpi","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/zfs-rpi?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-rpi","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/zfs-rpi?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}},{"package":{"name":"zfs-rpi","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/zfs-rpi?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-r1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2023-49298.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}