{"id":"CVE-2023-49298","details":"OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.","modified":"2026-04-10T05:05:02.565757Z","published":"2023-11-24T19:15:07.587Z","references":[{"type":"WEB","url":"https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14"},{"type":"WEB","url":"https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html"},{"type":"WEB","url":"https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/"},{"type":"WEB","url":"https://bugs.gentoo.org/917224"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=38770168"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00009.html"},{"type":"ADVISORY","url":"https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files"},{"type":"FIX","url":"https://github.com/openzfs/zfs/issues/15526"},{"type":"FIX","url":"https://news.ycombinator.com/item?id=38405731"},{"type":"FIX","url":"https://github.com/openzfs/zfs/pull/15571"},{"type":"FIX","url":"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openzfs/zfs","events":[{"introduced":"0"},{"last_affected":"eb62221ff0f9efbc2ab826ec6f1388c5f05fb664"},{"introduced":"0"},{"last_affected":"95785196f26e92d82cf4445654ba84e4a9671c57"},{"fixed":"d99134be83753266b5f7a79738aeab5b08db1e35"},{"fixed":"494aaaed89cb9fe9f2da3b6c6f465a4bc9f6a7e1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.13"},{"introduced":"0"},{"last_affected":"2.2.0-NA"}]}}],"versions":["zfs-0.5.1","zfs-0.5.2","zfs-0.6.0-rc1","zfs-0.6.0-rc10","zfs-0.6.0-rc11","zfs-0.6.0-rc12","zfs-0.6.0-rc13","zfs-0.6.0-rc14","zfs-0.6.0-rc2","zfs-0.6.0-rc3","zfs-0.6.0-rc4","zfs-0.6.0-rc5","zfs-0.6.0-rc6","zfs-0.6.0-rc7","zfs-0.6.0-rc8","zfs-0.6.0-rc9","zfs-0.6.1","zfs-0.6.2","zfs-0.6.3","zfs-0.6.4","zfs-0.6.5","zfs-0.7.0","zfs-0.7.0-rc1","zfs-0.7.0-rc2","zfs-0.7.0-rc3","zfs-0.7.0-rc4","zfs-0.7.0-rc5","zfs-0.8.0","zfs-0.8.0-rc1","zfs-0.8.0-rc2","zfs-0.8.0-rc3","zfs-0.8.0-rc4","zfs-0.8.0-rc5","zfs-2.0.0-rc1","zfs-2.1.0","zfs-2.1.0-rc1","zfs-2.1.0-rc2","zfs-2.1.0-rc3","zfs-2.1.0-rc4","zfs-2.1.0-rc5","zfs-2.1.0-rc6","zfs-2.1.0-rc7","zfs-2.1.0-rc8","zfs-2.1.1","zfs-2.1.10","zfs-2.1.11","zfs-2.1.12","zfs-2.1.13","zfs-2.1.2","zfs-2.1.3","zfs-2.1.4","zfs-2.1.5","zfs-2.1.6","zfs-2.1.7","zfs-2.1.8","zfs-2.1.9","zfs-2.1.99","zfs-2.2.0","zfs-2.2.0-rc1","zfs-2.2.0-rc2","zfs-2.2.0-rc3","zfs-2.2.0-rc4","zfs-2.2.0-rc5","zfs-2.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49298.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}