CVE-2014-5177

CWE-20Improper Input ValidationCWE-611XML External Entity (XXE)10 documents8 sources
Severity
1.2LOW
EPSS
0.1%
top 70.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Opensuse OpensuseRedhat Enterprise LinuxRedhat Enterprise Virtualization+1 more
Timeline
PublishedAug 3
Latest updateMay 14

Description

libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virSto

CVSS vector

AV:L/AC:H/C:P/I:N/A:NExploitability: 1.9 | Impact: 2.9

Affected Packages5 packages

Debianlibvirt< 1.2.4-1+3
Ubuntulibvirt< 1.2.2-0ubuntu13.1.5
NVDredhat/libvirt23 versions+22
NVDopensuse/opensuse12.3, 13.1+1

Also affects: Enterprise Linux 6.0

Patches

Patch: security.libvirt.orgPatch: security.libvirt.org

🔴Vulnerability Details

4
GHSA
GHSA-v3jv-v62w-8q9m: libvirt 12022-05-14
OSV
libvirt vulnerabilities2014-09-30
CVEList
CVE-2014-5177: libvirt 12014-08-03
OSV
CVE-2014-5177: libvirt 12014-08-03

📋Vendor Advisories

4
Ubuntu
libvirt vulnerabilities2014-09-30
Red Hat
libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read2014-05-06
Red Hat
libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read2014-05-06
Debian
CVE-2014-5177: libvirt - libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is en...2014

💬Community

1
Bugzilla
CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read2014-04-16
CVE-2014-5177 (LOW CVSS 1.2) | libvirt 1.0.0 through 1.2.x before | cvebase.io