CVE-2014-3657Improper Input Validation in Libvirt

CWE-399CWE-20Improper Input Validation10 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
1.3%
top 20.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat LibvirtLibvirt
Timeline
PublishedOct 6
Latest updateMay 17

Description

The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

Debianredhat/libvirt< 1.2.9-1+3
Ubunturedhat/libvirt< 1.2.2-0ubuntu13.1.7
NVDlibvirt/libvirt1.2.8+8

🔴Vulnerability Details

4
GHSA
GHSA-543q-9rm2-x5f3: The virDomainListPopulate function in conf/domain_conf2022-05-17
OSV
libvirt vulnerabilities2014-11-11
OSV
CVE-2014-3657: The virDomainListPopulate function in conf/domain_conf2014-10-06
CVEList
CVE-2014-3657: The virDomainListPopulate function in conf/domain_conf2014-10-06

📋Vendor Advisories

3
Ubuntu
libvirt vulnerabilities2014-11-11
Red Hat
libvirt: domain_conf: domain deadlock DoS2014-10-01
Debian
CVE-2014-3657: libvirt - The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9...2014

💬Community

2
Bugzilla
CVE-2014-3657 libvirt: domain_conf: domain deadlock DoS [fedora-all]2014-11-05
Bugzilla
CVE-2014-3657 libvirt: domain_conf: domain deadlock DoS2014-09-23
CVE-2014-3657 — Improper Input Validation in Libvirt | cvebase