CVE-2015-5160: libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive…

medium5.5CVSS 3.0

AVLACLPRLUINSUCHINAN

libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing.

Affected

25 ranges

Vendor	Product	Version range	Fixed in
debian	libvirt	< libvirt 2.2.0-1 (bookworm)	libvirt 2.2.0-1 (bookworm)
libvirt	libvirt	< 2.2	2.2
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_workstation	—	—
redhat	libvirt	>= 0 < 2.2.0-1	2.2.0-1
redhat	libvirt	>= 0 < 2.2.0-1	2.2.0-1
redhat	libvirt	>= 0 < 2.2.0-1	2.2.0-1
redhat	libvirt	>= 0 < 2.2.0-1	2.2.0-1
redhat	virtualization	—	—

CVSS provenance

nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

osv5.5MEDIUM