{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2023/cve-2023-49582-els_os-almalinux9_2esu.json" } ], "title": "Security update on CVE-2023-49582", "tracking": { "current_release_date": "2026-01-19T22:18:41Z", "generator": { "date": "2026-01-19T22:18:41Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-49582-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2023-01-01T00:00:00Z", "revision_history": [ { "date": "2023-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-29T11:49:39Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T19:08:30Z", "number": "3", "summary": "Update document" }, { "date": "2026-01-19T22:18:41Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" }, { "branches": [ { "category": "product_version", "name": "apr-0:1.7.0-11.el9.i686", "product": { "name": "apr-0:1.7.0-11.el9.i686", "product_id": "apr-0:1.7.0-11.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/apr@1.7.0-11.el9?arch=i686" } } }, { "category": "product_version", "name": "apr-devel-0:1.7.0-11.el9.i686", "product": { "name": "apr-devel-0:1.7.0-11.el9.i686", "product_id": "apr-devel-0:1.7.0-11.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/apr-devel@1.7.0-11.el9?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "apr-0:1.7.0-11.el9.x86_64", "product": { "name": "apr-0:1.7.0-11.el9.x86_64", "product_id": "apr-0:1.7.0-11.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/apr@1.7.0-11.el9?arch=x86_64" } } }, { "category": "product_version", "name": "apr-devel-0:1.7.0-11.el9.x86_64", "product": { "name": "apr-devel-0:1.7.0-11.el9.x86_64", "product_id": "apr-devel-0:1.7.0-11.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/apr-devel@1.7.0-11.el9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "apr-0:1.7.0-11.el9.tuxcare.els1.i686", "product": { "name": "apr-0:1.7.0-11.el9.tuxcare.els1.i686", "product_id": "apr-0:1.7.0-11.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/apr@1.7.0-11.el9.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "product": { "name": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "product_id": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/apr-devel@1.7.0-11.el9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "product": { "name": "apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "product_id": "apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/apr@1.7.0-11.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "product": { "name": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "product_id": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/apr-devel@1.7.0-11.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "apr-0:1.7.0-11.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.i686" }, "product_reference": "apr-0:1.7.0-11.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-0:1.7.0-11.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-0:1.7.0-11.el9.i686" }, "product_reference": "apr-0:1.7.0-11.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-0:1.7.0-11.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.x86_64" }, "product_reference": "apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-0:1.7.0-11.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-0:1.7.0-11.el9.x86_64" }, "product_reference": "apr-0:1.7.0-11.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686" }, "product_reference": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-devel-0:1.7.0-11.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.i686" }, "product_reference": "apr-devel-0:1.7.0-11.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64" }, "product_reference": "apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "apr-devel-0:1.7.0-11.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.x86_64" }, "product_reference": "apr-devel-0:1.7.0-11.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-49582", "cwe": { "id": "CWE-732", "name": "Incorrect Permission Assignment for Critical Resource" }, "notes": [ { "category": "description", "text": "Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. \n\nThis issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)\n\nUsers are recommended to upgrade to APR version 1.7.5, which fixes this issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.i686", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.i686", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.x86_64", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.i686", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-49582" }, { "category": "external", "summary": "https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4", "url": "https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/08/26/1", "url": "http://www.openwall.com/lists/oss-security/2024/08/26/1" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241101-0004/", "url": "https://security.netapp.com/advisory/ntap-20241101-0004/" } ], "release_date": "2024-08-26T14:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "CVE-2023-49582 is a local-only information disclosure in APR’s named shared memory handling; exploitation requires a valid local account on the same host and an APR-based application that actually creates named shared memory segments containing sensitive data. It has no integrity or availability impact, does not affect non‑Unix platforms, and does not apply to APR builds compiled with APR_USE_SHMEM_SHMGET=1. In centrally administered server/VM environments where untrusted local access is restricted, practical exploitability is low, so this issue can be safely deprioritized.", "product_ids": [ "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.i686", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.i686", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.x86_64", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.i686", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.i686", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.i686", "AlmaLinux-9.2:apr-0:1.7.0-11.el9.x86_64", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.i686", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.i686", "AlmaLinux-9.2:apr-devel-0:1.7.0-11.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }