CVE-2013-4291 — Redhat Libvirt vulnerability

CWE-2648 documents7 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 85.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Libvirt

Timeline

PublishedSep 30

Latest updateMay 17

Description

The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and 1.1.1, when the domain has read an uid:gid label, does not properly set group memberships, which allows local users to gain privileges.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 3.4 | Impact: 10.0

Affected Packages2 packages

▶Debianredhat/libvirt< 1.1.2-2+3

▶NVDredhat/libvirt0.10.2.7, 1.0.5.5, 1.1.1+2

Patches

Patch: wiki.libvirt.org ↗Patch: bugzilla.redhat.com ↗Patch: wiki.libvirt.org ↗

🔴Vulnerability Details

GHSA

GHSA-293r-4r95-pff2: The virSecurityManagerSetProcessLabel function in libvirt 0↗2022-05-17

▶

CVEList

CVE-2013-4291: The virSecurityManagerSetProcessLabel function in libvirt 0↗2013-09-30

▶

OSV

CVE-2013-4291: The virSecurityManagerSetProcessLabel function in libvirt 0↗2013-09-30

▶

📋Vendor Advisories

Red Hat

libvirt: supplementary groups not adjusted correctly when parsing label↗2013-08-29

▶

Debian

CVE-2013-4291: libvirt - The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and...↗2013

▶

💬Community

Bugzilla

CVE-2013-4297 CVE-2013-4291 CVE-2013-5651 libvirt: various flaws [fedora-all]↗2013-09-10

▶

Bugzilla

CVE-2013-4291 libvirt: supplementary groups not adjusted correctly when parsing label↗2013-09-10

▶