CVE-2019-3886 — Missing Authorization in Redhat Libvirt
Severity
5.4MEDIUMNVD
EPSS
0.5%
top 35.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 4
Latest updateMay 13
Description
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
CVSS vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 2.8 | Impact: 2.5
Affected Packages4 packages
Also affects: Fedora 29, 30
Patches
🔴Vulnerability Details
3📋Vendor Advisories
5Red Hat▶
libvirt: libvirt-domain.c supports virDomainGetTime API calls with an RO connection instead of RW connection↗2019-04-18
Microsoft▶
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent which could lead to potentially disclosing uni↗2019-04-09
Debian▶
CVE-2019-3886: libvirt - An incorrect permissions check was discovered in libvirt 4.8.0 and above. The re...↗2019
💬Community
4Bugzilla▶
CVE-2019-3886 libvirt: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide]↗2019-04-04
Bugzilla▶
CVE-2019-3886 mingw-libvirt: libvirt: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide]↗2019-04-04
Bugzilla▶
CVE-2019-3886 libvirt: virsh domhostname command discloses guest hostname in readonly mode↗2019-04-01