CVE-2023-5978

08.11.2023, 09:15

In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When only a listof resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed. This could permit the application to resolve domain names that were previously restricted.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
freebsd	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 32%

Vendor	Product	Version
freebsd	freebsd	13.0 ≤ 𝑥 < 13.2
freebsd	freebsd	13.2
freebsd	freebsd	13.2:p1
freebsd	freebsd	13.2:p2
freebsd	freebsd	13.2:p3
freebsd	freebsd	13.2:p4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://security.freebsd.org/advisories/FreeBSD-SA-23:16.cap_net.asc

https://security.netapp.com/advisory/ntap-20231214-0003/

https://security.freebsd.org/advisories/FreeBSD-SA-23:16.cap_net.asc

https://security.netapp.com/advisory/ntap-20231214-0003/