CVE-2023-49721

Published: Feb 14, 2024Modified: Aug 26, 2025

6.7

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.8 / Impact: 5.9

Source: security@ubuntu.com (Secondary)

Description

An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.

Affected (2)

Products: Canonical: Lxd · Tianocore: Edk2

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Canonical Lxd	From 5.0.0 to 5.21.0
Tianocore Edk2	Up to 2023.11-8

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (8)

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137

Source: security@ubuntu.com

Issue Tracking

https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139

Source: security@ubuntu.com

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-48733

Source: security@ubuntu.com

Third Party Advisory

https://www.openwall.com/lists/oss-security/2024/02/14/4

Source: security@ubuntu.com

Mailing List

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-48733

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.openwall.com/lists/oss-security/2024/02/14/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.