| 0 |
| url |
VCID-2hsw-vx7r-wqd5 |
| vulnerability_id |
VCID-2hsw-vx7r-wqd5 |
| summary |
Red Hat libvirt, possibly 0.6.0 through 0.8.2, creates new images without setting the user-defined backing-store format, which allows guest OS users to read arbitrary files on the host OS via unspecified vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2239
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2hsw-vx7r-wqd5 |
|
| 1 |
| url |
VCID-4sf9-8j9p-3fgz |
| vulnerability_id |
VCID-4sf9-8j9p-3fgz |
| summary |
An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-1441
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
5.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4sf9-8j9p-3fgz |
|
| 2 |
| url |
VCID-522f-y6qx-nfhn |
| vulnerability_id |
VCID-522f-y6qx-nfhn |
| summary |
The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-7823
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-522f-y6qx-nfhn |
|
| 3 |
| url |
VCID-53fz-t4zs-7kbk |
| vulnerability_id |
VCID-53fz-t4zs-7kbk |
| summary |
A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-3975
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-53fz-t4zs-7kbk |
|
| 4 |
| url |
VCID-5th2-yymu-x7hm |
| vulnerability_id |
VCID-5th2-yymu-x7hm |
| summary |
Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-1447
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5th2-yymu-x7hm |
|
| 5 |
| url |
VCID-6pj3-mq9g-yye9 |
| vulnerability_id |
VCID-6pj3-mq9g-yye9 |
| summary |
An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats command, resulting in a potential denial of service. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-12430
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6pj3-mq9g-yye9 |
|
| 6 |
| url |
VCID-75av-3nr7-bkh1 |
| vulnerability_id |
VCID-75av-3nr7-bkh1 |
| summary |
A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A remote authenticated attacker could use this flaw to crash libvirtd daemon resulting in denial of service. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2017-2635
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-75av-3nr7-bkh1 |
|
| 7 |
| url |
VCID-7ezn-r2xq-c7de |
| vulnerability_id |
VCID-7ezn-r2xq-c7de |
| summary |
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-3633
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7ezn-r2xq-c7de |
|
| 8 |
| url |
VCID-7ks5-8e2n-tua4 |
| vulnerability_id |
VCID-7ks5-8e2n-tua4 |
| summary |
libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4311
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7ks5-8e2n-tua4 |
|
| 9 |
| url |
VCID-7t26-rv1b-gfca |
| vulnerability_id |
VCID-7t26-rv1b-gfca |
| summary |
Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5086
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7t26-rv1b-gfca |
|
| 10 |
| url |
VCID-8fmd-jdpb-v7eb |
| vulnerability_id |
VCID-8fmd-jdpb-v7eb |
| summary |
The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to "agent based cpu (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4154
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8fmd-jdpb-v7eb |
|
| 11 |
| url |
VCID-8frc-fhvs-bucm |
| vulnerability_id |
VCID-8frc-fhvs-bucm |
| summary |
The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1 through 0.10.1.x, 0.10.2.x before 0.10.2.8, 1.0.x before 1.0.5.6, and 1.1.x before 1.1.2 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a crafted RPC call. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4296
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8frc-fhvs-bucm |
|
| 12 |
| url |
VCID-8u2b-ad6e-ukaw |
| vulnerability_id |
VCID-8u2b-ad6e-ukaw |
| summary |
A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-3840
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8u2b-ad6e-ukaw |
|
| 13 |
| url |
VCID-8wxg-1wr8-rfca |
| vulnerability_id |
VCID-8wxg-1wr8-rfca |
| summary |
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-0236
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8wxg-1wr8-rfca |
|
| 14 |
| url |
VCID-9cft-v9u9-fubh |
| vulnerability_id |
VCID-9cft-v9u9-fubh |
| summary |
The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-8136
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9cft-v9u9-fubh |
|
| 15 |
|
| 16 |
| url |
VCID-abee-kgjm-h7gv |
| vulnerability_id |
VCID-abee-kgjm-h7gv |
| summary |
A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat from this vulnerability is to system availability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-3559
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-abee-kgjm-h7gv |
|
| 17 |
|
| 18 |
| url |
VCID-b83z-k3uw-sqfs |
| vulnerability_id |
VCID-b83z-k3uw-sqfs |
| summary |
The virSecurityManagerGetPrivateData function in security/security_manager.c in libvirt 0.8.8 through 0.9.1 uses the wrong argument for a sizeof call, which causes incorrect processing of "security manager private data" that "reopens disk probing" and might allow guest OS users to read arbitrary files on the host OS. NOTE: this vulnerability exists because of a CVE-2010-2238 regression. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2178
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b83z-k3uw-sqfs |
|
| 19 |
| url |
VCID-bes6-jjfw-tbdx |
| vulnerability_id |
VCID-bes6-jjfw-tbdx |
| summary |
libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability than CVE-2019-3886. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-10746
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bes6-jjfw-tbdx |
|
| 20 |
| url |
VCID-bm6v-rps8-8kbt |
| vulnerability_id |
VCID-bm6v-rps8-8kbt |
| summary |
Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2242
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bm6v-rps8-8kbt |
|
| 21 |
| url |
VCID-bw47-fewt-2fax |
| vulnerability_id |
VCID-bw47-fewt-2fax |
| summary |
Double free vulnerability in the virConnectListAllInterfaces method in interface/interface_backend_netcf.c in libvirt 1.0.6 allows remote attackers to cause a denial of service (libvirtd crash) via a filtering flag that causes an interface to be skipped, as demonstrated by the "virsh iface-list --inactive" command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-2218
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bw47-fewt-2fax |
|
| 22 |
| url |
VCID-bzyu-42js-e3e6 |
| vulnerability_id |
VCID-bzyu-42js-e3e6 |
| summary |
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-10132
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bzyu-42js-e3e6 |
|
| 23 |
|
| 24 |
| url |
VCID-cjpk-feb2-zqds |
| vulnerability_id |
VCID-cjpk-feb2-zqds |
| summary |
A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-4147
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cjpk-feb2-zqds |
|
| 25 |
| url |
VCID-db3h-q8fp-b3ds |
| vulnerability_id |
VCID-db3h-q8fp-b3ds |
| summary |
The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-6436
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-db3h-q8fp-b3ds |
|
| 26 |
| url |
VCID-dqys-qxtq-7yd9 |
| vulnerability_id |
VCID-dqys-qxtq-7yd9 |
| summary |
libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-0028
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dqys-qxtq-7yd9 |
|
| 27 |
| url |
VCID-ej3h-nbzx-euhv |
| vulnerability_id |
VCID-ej3h-nbzx-euhv |
| summary |
A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-4418
|
| risk_score |
2.8 |
| exploitability |
0.5 |
| weighted_severity |
5.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ej3h-nbzx-euhv |
|
| 28 |
| url |
VCID-etr9-c84d-vuhr |
| vulnerability_id |
VCID-etr9-c84d-vuhr |
| summary |
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-10168
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-etr9-c84d-vuhr |
|
| 29 |
| url |
VCID-fswc-9ddx-c7d7 |
| vulnerability_id |
VCID-fswc-9ddx-c7d7 |
| summary |
A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to crash the virtinterfaced daemon. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-8235
|
| risk_score |
2.8 |
| exploitability |
0.5 |
| weighted_severity |
5.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fswc-9ddx-c7d7 |
|
| 30 |
| url |
VCID-g2pc-1es2-3qer |
| vulnerability_id |
VCID-g2pc-1es2-3qer |
| summary |
The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, does not set an identity, which causes event handler removal to be denied and remote attackers to cause a denial of service (use-after-free and crash) by registering an event handler and then closing the connection. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4399
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g2pc-1es2-3qer |
|
| 31 |
| url |
VCID-g3k9-1rc3-xfhu |
| vulnerability_id |
VCID-g3k9-1rc3-xfhu |
| summary |
The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-6456
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g3k9-1rc3-xfhu |
|
| 32 |
| url |
VCID-g59s-kpjm-dbbg |
| vulnerability_id |
VCID-g59s-kpjm-dbbg |
| summary |
The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-3657
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g59s-kpjm-dbbg |
|
| 33 |
| url |
VCID-g94m-69qv-8kgk |
| vulnerability_id |
VCID-g94m-69qv-8kgk |
| summary |
The storageVolUpload function in storage/storage_driver.c in libvirt before 1.2.11 does not check a certain return value, which allows local users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted offset value in a "virsh vol-upload" command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-8135
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g94m-69qv-8kgk |
|
| 34 |
| url |
VCID-gneu-b3qk-q7e4 |
| vulnerability_id |
VCID-gneu-b3qk-q7e4 |
| summary |
A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-2494
|
| risk_score |
2.8 |
| exploitability |
0.5 |
| weighted_severity |
5.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gneu-b3qk-q7e4 |
|
| 35 |
|
| 36 |
| url |
VCID-h2s4-zbk4-dbgk |
| vulnerability_id |
VCID-h2s4-zbk4-dbgk |
| summary |
Red Hat libvirt, possibly 0.6.1 through 0.8.2, looks up disk backing stores without referring to the user-defined main disk format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2237
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h2s4-zbk4-dbgk |
|
| 37 |
| url |
VCID-h8hd-mdcx-tben |
| vulnerability_id |
VCID-h8hd-mdcx-tben |
| summary |
The virBitmapParse function in util/virbitmap.c in libvirt before 1.1.2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a crafted bitmap, as demonstrated by a large nodeset value to numatune. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-5651
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h8hd-mdcx-tben |
|
| 38 |
| url |
VCID-j5b5-zjxe-ffhu |
| vulnerability_id |
VCID-j5b5-zjxe-ffhu |
| summary |
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-5008
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
5.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j5b5-zjxe-ffhu |
|
| 39 |
| url |
VCID-j71z-t8bh-wbb4 |
| vulnerability_id |
VCID-j71z-t8bh-wbb4 |
| summary |
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-3667
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j71z-t8bh-wbb4 |
|
| 40 |
| url |
VCID-j9tq-2vq5-cqdm |
| vulnerability_id |
VCID-j9tq-2vq5-cqdm |
| summary |
The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager in libvirt 1.0.5 allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of requests "to list all volumes for the particular pool." |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-1962
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j9tq-2vq5-cqdm |
|
| 41 |
| url |
VCID-jtjs-y7k7-r7ae |
| vulnerability_id |
VCID-jtjs-y7k7-r7ae |
| summary |
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-10166
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
7.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jtjs-y7k7-r7ae |
|
| 42 |
| url |
VCID-jzhx-dfgg-37ct |
| vulnerability_id |
VCID-jzhx-dfgg-37ct |
| summary |
The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2 and earlier allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via unspecified vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4297
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jzhx-dfgg-37ct |
|
| 43 |
| url |
VCID-k2ku-9mx2-b3a9 |
| vulnerability_id |
VCID-k2ku-9mx2-b3a9 |
| summary |
Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-5313
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k2ku-9mx2-b3a9 |
|
| 44 |
|
| 45 |
| url |
VCID-kn2h-kurp-pbcc |
| vulnerability_id |
VCID-kn2h-kurp-pbcc |
| summary |
The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via unspecified vectors involving "multiple events registration." |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-2230
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kn2h-kurp-pbcc |
|
| 46 |
| url |
VCID-kqsz-xg9j-ukeu |
| vulnerability_id |
VCID-kqsz-xg9j-ukeu |
| summary |
The xenDaemonListDefinedDomains function in xen/xend_internal.c in libvirt 1.1.1 allows remote authenticated users to cause a denial of service (memory corruption and crash) via vectors involving the virConnectListDefinedDomains API function. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4239
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kqsz-xg9j-ukeu |
|
| 47 |
| url |
VCID-kta6-5pt1-27at |
| vulnerability_id |
VCID-kta6-5pt1-27at |
| summary |
The qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly handle locks when a domain is skipped due to ACL restrictions, which allows a remote authenticated users to cause a denial of service (deadlock or segmentation fault and crash) via a request to access the users does not have privileges to access. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-8131
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kta6-5pt1-27at |
|
| 48 |
| url |
VCID-mtgm-vqw9-1ubf |
| vulnerability_id |
VCID-mtgm-vqw9-1ubf |
| summary |
qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-20485
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mtgm-vqw9-1ubf |
|
| 49 |
| url |
VCID-mw8d-1bcc-p7e5 |
| vulnerability_id |
VCID-mw8d-1bcc-p7e5 |
| summary |
A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-2700
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mw8d-1bcc-p7e5 |
|
| 50 |
| url |
VCID-myg3-46rj-3qax |
| vulnerability_id |
VCID-myg3-46rj-3qax |
| summary |
A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-10701
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-myg3-46rj-3qax |
|
| 51 |
| url |
VCID-mzv1-uhwm-fqd2 |
| vulnerability_id |
VCID-mzv1-uhwm-fqd2 |
| summary |
The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus function. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-7336
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mzv1-uhwm-fqd2 |
|
| 52 |
| url |
VCID-n2nm-knaw-gkgx |
| vulnerability_id |
VCID-n2nm-knaw-gkgx |
| summary |
libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-1064
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n2nm-knaw-gkgx |
|
| 53 |
| url |
VCID-p3ja-7zqb-mybj |
| vulnerability_id |
VCID-p3ja-7zqb-mybj |
| summary |
The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-6457
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p3ja-7zqb-mybj |
|
| 54 |
| url |
VCID-pqyk-2c8e-5yh5 |
| vulnerability_id |
VCID-pqyk-2c8e-5yh5 |
| summary |
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-10161
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pqyk-2c8e-5yh5 |
|
| 55 |
|
| 56 |
| url |
VCID-q2ng-jgm7-8uc9 |
| vulnerability_id |
VCID-q2ng-jgm7-8uc9 |
| summary |
A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-0897
|
| risk_score |
2.2 |
| exploitability |
0.5 |
| weighted_severity |
4.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q2ng-jgm7-8uc9 |
|
| 57 |
| url |
VCID-q38b-cmvy-gybh |
| vulnerability_id |
VCID-q38b-cmvy-gybh |
| summary |
libvirt.c in the API in Red Hat libvirt 0.8.8 does not properly restrict operations in a read-only connection, which allows remote attackers to cause a denial of service (host OS crash) or possibly execute arbitrary code via a (1) virNodeDeviceDettach, (2) virNodeDeviceReset, (3) virDomainRevertToSnapshot, (4) virDomainSnapshotDelete, (5) virNodeDeviceReAttach, or (6) virConnectDomainXMLToNative call, a different vulnerability than CVE-2008-5086. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-1146
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q38b-cmvy-gybh |
|
| 58 |
| url |
VCID-qpvd-b2ru-d7a3 |
| vulnerability_id |
VCID-qpvd-b2ru-d7a3 |
| summary |
The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and 1.1.1, when the domain has read an uid:gid label, does not properly set group memberships, which allows local users to gain privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4291
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qpvd-b2ru-d7a3 |
|
| 59 |
| url |
VCID-qtct-kbdm-z7ed |
| vulnerability_id |
VCID-qtct-kbdm-z7ed |
| summary |
libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory consumption) via a large number of domain migrate parameters in certain RPC calls in (1) daemon/remote.c and (2) remote/remote_driver.c. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4292
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qtct-kbdm-z7ed |
|
| 60 |
| url |
VCID-qw96-udhq-q7b6 |
| vulnerability_id |
VCID-qw96-udhq-q7b6 |
| summary |
Double free vulnerability in the qemuAgentGetVCPUs function in qemu/qemu_agent.c in libvirt 1.0.6 through 1.1.0 allows remote attackers to cause a denial of service (daemon crash) via a cpu count request, as demonstrated by the "virsh vcpucount dom --guest" command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4153
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qw96-udhq-q7b6 |
|
| 61 |
|
| 62 |
| url |
VCID-rk28-atvy-tug1 |
| vulnerability_id |
VCID-rk28-atvy-tug1 |
| summary |
Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-15708
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rk28-atvy-tug1 |
|
| 63 |
| url |
VCID-rrcc-k1cq-5ugw |
| vulnerability_id |
VCID-rrcc-k1cq-5ugw |
| summary |
virt-login-shell in libvirt 1.1.2 through 1.1.3 allows local users to overwrite arbitrary files and possibly gain privileges via unspecified environment variables or command-line arguments. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4400
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rrcc-k1cq-5ugw |
|
| 64 |
|
| 65 |
| url |
VCID-t296-efx6-1yba |
| vulnerability_id |
VCID-t296-efx6-1yba |
| summary |
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-3886
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t296-efx6-1yba |
|
| 66 |
| url |
VCID-t414-nm3b-cfev |
| vulnerability_id |
VCID-t414-nm3b-cfev |
| summary |
util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-6764
|
| risk_score |
2.2 |
| exploitability |
0.5 |
| weighted_severity |
4.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t414-nm3b-cfev |
|
| 67 |
| url |
VCID-tk2g-6m19-yqg3 |
| vulnerability_id |
VCID-tk2g-6m19-yqg3 |
| summary |
libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-5160
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tk2g-6m19-yqg3 |
|
| 68 |
| url |
VCID-trpf-3d81-r3g8 |
| vulnerability_id |
VCID-trpf-3d81-r3g8 |
| summary |
libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-2693
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-trpf-3d81-r3g8 |
|
| 69 |
| url |
VCID-u1x7-9n1d-8qb3 |
| vulnerability_id |
VCID-u1x7-9n1d-8qb3 |
| summary |
Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-6458
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u1x7-9n1d-8qb3 |
|
| 70 |
| url |
VCID-ujup-1ktj-47ax |
| vulnerability_id |
VCID-ujup-1ktj-47ax |
| summary |
A flaw was found in libvirt. The virStoragePoolObjListSearch function does not return a locked pool as expected, resulting in a race condition and denial of service when attempting to lock the same object from another thread. This issue could allow clients connecting to the read-only socket to crash the libvirt daemon. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-3750
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ujup-1ktj-47ax |
|
| 71 |
| url |
VCID-urzt-z32b-97dp |
| vulnerability_id |
VCID-urzt-z32b-97dp |
| summary |
The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:read permission instead of the connect:write permission, which allows attackers to gain domain:write privileges and execute Qemu binaries via crafted XML. NOTE: some of these details are obtained from third party information. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4401
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-urzt-z32b-97dp |
|
| 72 |
| url |
VCID-v25d-upc8-wfh4 |
| vulnerability_id |
VCID-v25d-upc8-wfh4 |
| summary |
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-10167
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v25d-upc8-wfh4 |
|
| 73 |
| url |
VCID-vsx2-9wna-nuf2 |
| vulnerability_id |
VCID-vsx2-9wna-nuf2 |
| summary |
libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-5177
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vsx2-9wna-nuf2 |
|
| 74 |
| url |
VCID-weet-hgv1-7bb9 |
| vulnerability_id |
VCID-weet-hgv1-7bb9 |
| summary |
Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of service (libvirtd crash) and possibly execute arbitrary code via a crafted VirDomainGetVcpus RPC call that triggers memory corruption. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2511
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-weet-hgv1-7bb9 |
|
| 75 |
| url |
VCID-wtyd-7ppt-23cj |
| vulnerability_id |
VCID-wtyd-7ppt-23cj |
| summary |
A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-2496
|
| risk_score |
2.2 |
| exploitability |
0.5 |
| weighted_severity |
4.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wtyd-7ppt-23cj |
|
| 76 |
| url |
VCID-x248-nq74-wbbs |
| vulnerability_id |
VCID-x248-nq74-wbbs |
| summary |
The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows remote authenticated users with a read-write connection to cause a denial of service (libvirtd crash) by triggering a failed unlink after creating a volume on a root_squash NFS pool. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-5247
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x248-nq74-wbbs |
|
| 77 |
| url |
VCID-xkb6-5bav-f7ep |
| vulnerability_id |
VCID-xkb6-5bav-f7ep |
| summary |
Red Hat libvirt, possibly 0.7.2 through 0.8.2, recurses into disk-image backing stores without extracting the defined disk backing-store format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2238
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xkb6-5bav-f7ep |
|
| 78 |
| url |
VCID-xkb7-cjga-pybw |
| vulnerability_id |
VCID-xkb7-cjga-pybw |
| summary |
The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4423
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xkb7-cjga-pybw |
|
| 79 |
| url |
VCID-xxtc-8yjh-73h8 |
| vulnerability_id |
VCID-xxtc-8yjh-73h8 |
| summary |
The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-4600
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xxtc-8yjh-73h8 |
|
| 80 |
| url |
VCID-y435-b4r1-ekdg |
| vulnerability_id |
VCID-y435-b4r1-ekdg |
| summary |
Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0036
|
| risk_score |
null |
| exploitability |
2.0 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y435-b4r1-ekdg |
|
| 81 |
| url |
VCID-yb4y-39u3-eufg |
| vulnerability_id |
VCID-yb4y-39u3-eufg |
| summary |
libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-0179
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yb4y-39u3-eufg |
|
| 82 |
| url |
VCID-yhk7-v8zt-hbev |
| vulnerability_id |
VCID-yhk7-v8zt-hbev |
| summary |
libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-1486
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yhk7-v8zt-hbev |
|
| 83 |
| url |
VCID-ys1x-s4vn-tffu |
| vulnerability_id |
VCID-ys1x-s4vn-tffu |
| summary |
The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly handle virDomain* API calls with typed parameters, which might allow remote authenticated users to cause a denial of service (libvirtd crash) via an RPC command with nparams set to zero, which triggers an out-of-bounds read or a free of an invalid pointer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3445
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ys1x-s4vn-tffu |
|
| 84 |
| url |
VCID-yug2-qf4t-wfcc |
| vulnerability_id |
VCID-yug2-qf4t-wfcc |
| summary |
An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-14301
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yug2-qf4t-wfcc |
|
| 85 |
| url |
VCID-yxud-sjwj-afh1 |
| vulnerability_id |
VCID-yxud-sjwj-afh1 |
| summary |
Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which causes a message to be freed without being removed from the message queue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-0170
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yxud-sjwj-afh1 |
|
| 86 |
| url |
VCID-ztu1-8yz5-tyc6 |
| vulnerability_id |
VCID-ztu1-8yz5-tyc6 |
| summary |
libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2017-1000256
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ztu1-8yz5-tyc6 |
|