CVE-2015-5160 — Sensitive Information Exposure in Libvirt

CWE-200 — Sensitive Information Exposure7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 65.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Libvirt Libvirt Redhat Enterprise Linux +8 more

Timeline

PublishedAug 20

Latest updateMay 13

Description

libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages6 packages

▶NVDlibvirt/libvirt< 2.2

▶Debianredhat/libvirt< 2.2.0-1+3

▶NVDredhat/virtualization3.0

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

Also affects: Enterprise Linux 5, 6.0, 7.3, 7.4, 7.5, 7.6

🔴Vulnerability Details

GHSA

GHSA-57w8-4258-hhvg: libvirt before 2↗2022-05-13

▶

OSV

CVE-2015-5160: libvirt before 2↗2018-08-20

▶

CVEList

CVE-2015-5160: libvirt before 2↗2018-08-20

▶

📋Vendor Advisories

Red Hat

libvirt: Ceph id/key leaked in the process list↗2015-08-10

▶

Debian

CVE-2015-5160: libvirt - libvirt before 2.2 includes Ceph credentials on the qemu command line when using...↗2015

▶

💬Community

Bugzilla

CVE-2015-5160 libvirt: Ceph id/key leaked in the process list↗2015-07-22

▶