CVE-2023-41915

pmix: race condition allows attackers to obtain ownership of arbitrary files

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

OpenPMIx PMIx antes de las versiones 4.2.6 y 5.0.x antes de 5.0.1, permite a los atacantes obtener la propiedad de archivos arbitrarios a través de una condición de ejecución durante la ejecución de código de librería con UID 0.

OpenPMIx PMIx is vulnerable to a race condition during execution of library code with UID 0, which allows attackers to obtain ownership of arbitrary files.

*Credits: N/A

CVSS Scores

NISTv3.1 8.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-09-05 CVE Reserved
2023-09-09 CVE Published
2024-08-02 CVE Updated
2024-10-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (14)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/07/10/3	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/10/4	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/10/6	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/11/3	Mailing List
https://docs.openpmix.org/en/latest/security.html	Not Applicable
https://github.com/openpmix/openpmix/releases/tag/v4.2.6	Release Notes
https://github.com/openpmix/openpmix/releases/tag/v5.0.1	Release Notes
https://lists.debian.org/debian-lts-announce/2023/10/msg00048.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFKIY6SNC3KQNZMVROWMIW6DI5XPNKQX	2024-07-11
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYJ7IRNR6NHJMTNOV3E3W3D5MLDRDCJX	2024-07-11
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDLWSMQYXF2ZGOQKCG26H6ZZA5FEH7HX	2024-07-11
https://www.debian.org/security/2023/dsa-5547	2024-07-11
https://access.redhat.com/security/cve/CVE-2023-41915	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2238898	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openpmix Search vendor "Openpmix"		Openpmix Search vendor "Openpmix" for product "Openpmix"				< 4.2.6 Search vendor "Openpmix" for product "Openpmix" and version " < 4.2.6"		-		Affected
Openpmix Search vendor "Openpmix"		Openpmix Search vendor "Openpmix" for product "Openpmix"				5.0.0 Search vendor "Openpmix" for product "Openpmix" and version "5.0.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected