2307913 – (CVE-2023-49582) CVE-2023-49582 APR: Lax permissions in Apache Portable Runtime shared memory

Bug 2307913 (CVE-2023-49582) - CVE-2023-49582 APR: Lax permissions in Apache Portable Runtime shared memory

Summary: CVE-2023-49582 APR: Lax permissions in Apache Portable Runtime shared memory

Keywords:
Status:	NEW
Alias:	CVE-2023-49582
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2308485 2308486 2308487 2308488
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-26 14:20 UTC by OSIDB Bzimport
Modified:	2024-09-03 15:23 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Apache Portable Runtime (APR) library. This issue allows local users to read named shared memory segments due to incorrect permissions, potentially revealing sensitive application data.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-08-26 14:20:30 UTC

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. 

This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)

Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

Note You need to log in before you can comment on or make changes to this bug.