CVE-2017-1000256: libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate…

high8.1CVSS 3.1

AVNACHPRNUINSUCHIHAH

libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default.

Affected

12 ranges

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	libvirt	< libvirt 3.8.0-3 (bookworm)	libvirt 3.8.0-3 (bookworm)
msrc	cbl_mariner_1.0_arm	—	—
msrc	cbl_mariner_1.0_x64	—	—
msrc	cm1_libvirt_6.1.0-1_on_cbl_mariner_1.0	—	—
redhat	libvirt	>= 0 < 3.8.0-3	3.8.0-3
redhat	libvirt	>= 0 < 3.8.0-3	3.8.0-3
redhat	libvirt	>= 0 < 3.8.0-3	3.8.0-3
redhat	libvirt	>= 0 < 3.8.0-3	3.8.0-3
redhat	libvirt	>= 0 < 1.2.2-0ubuntu13.1.26	1.2.2-0ubuntu13.1.26
redhat	libvirt	>= 0 < 1.3.1-1ubuntu10.19	1.3.1-1ubuntu10.19
redhat	libvirt	>= 2.3.0 < 3.9.0	3.9.0

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL