Debian Libvirt vulnerabilities

CVE-2020-12430 [MEDIUM] CVE-2020-12430: libvirt - An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in l... An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats

CVE-2020-15708 [CRITICAL] CVE-2020-15708: libvirt - Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world r... Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2019-10161 [HIGH] CVE-2019-10161: libvirt - It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit re... It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of servi

CVE-2019-10167 [HIGH] CVE-2019-10167: libvirt - The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 ... The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to

CVE-2019-10132 [HIGH] CVE-2019-10132: libvirt - A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and ... A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons. Scope: local bookworm: resolved (fixed i

CVE-2019-10166 [HIGH] CVE-2019-10166: libvirt - It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5... It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arb

CVE-2019-10168 [HIGH] CVE-2019-10168: libvirt - The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvi... The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argu

CVE-2019-3840 [MEDIUM] CVE-2019-3840: libvirt - A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 i... A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service. Scope: local bookworm: resolved (fixed in 5.0.0-1) bullseye: resolved (fixed in 5.0.0-1) forky: resolved (fixed in 5.0.0-1) sid: re

CVE-2019-3886 [MEDIUM] CVE-2019-3886: libvirt - An incorrect permissions check was discovered in libvirt 4.8.0 and above. The re... An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block. Scope: local bookworm: resolved (fixed in 5.0.0-2) bullseye: resolved (fixed in 5.0.0-2) forky: r

CVE-2019-20485 [MEDIUM] CVE-2019-20485: libvirt - qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor j... qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). Scope: local bookworm: resolved (fixed in 6.0.0-2) bullseye: resolved (fixed in 6.0.0-2) forky: resolved (fixed in 6.0.0-2) sid: resolved (fixed in 6.0.0-2) trixie: resolved (fixed i

CVE-2018-1064 [HIGH] CVE-2018-1064: libvirt - libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a res... libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent. Scope: local bookworm: resolved (fixed in 4.1.0-1) bullseye: resolved (fixed in 4.1.0-1) forky: resolved (fixed in 4.1.0-1) sid: resolved (fixed in 4.1.0-1) trixie: resolved (f

CVE-2018-5748 [HIGH] CVE-2018-5748: libvirt - qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (me... qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply. Scope: local bookworm: resolved (fixed in 4.0.0-1) bullseye: resolved (fixed in 4.0.0-1) forky: resolved (fixed in 4.0.0-1) sid: resolved (fixed in 4.0.0-1) trixie: resolved (fixed in 4.0.0-1)

CVE-2018-6764 [HIGH] CVE-2018-6764: libvirt - util/virlog.c in libvirt does not properly determine the hostname on LXC contain... util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module. Scope: local bookworm: resolved (fixed in 4.0.0-2) bullseye: resolved (fixed in 4.0.0-2) forky: resolved (fixed in 4.0.0-2) sid: resol

CVE-2017-2635 [HIGH] CVE-2017-2635: libvirt - A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 h... A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A remote authenticated attacker could use this flaw to crash libvirtd daemon resulting in denial of service. Scope: local bookworm: resolved (fixed in 3.0.0-3) bullseye: resolved (fixed in 3.0.0-3) forky: resolved (fixed in 3.0.0-3) sid: resolved (fixed in 3.0.0-3) tri

CVE-2017-1000256 [HIGH] CVE-2017-1000256: libvirt - libvirt version 2.3.0 and later is vulnerable to a bad default configuration of ... libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. Scope: local bookworm: resolved (fixed in 3.8.0-3) bullseye: resolved (fixed in 3.8.0-3) forky: resolved (fixed in 3.8.0-3) sid: resolved (fixed in 3.8.0-3) trixie: resolved

CVE-2016-5008 [CRITICAL] CVE-2016-5008: libvirt - libvirt before 2.0.0 improperly disables password checking when the password on ... libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. Scope: local bookworm: resolved (fixed in 2.0.0-1) bullseye: resolved (fixed in 2.0.0-1) forky: resolved (fixed in 2.0.0-1) sid: resol

CVE-2016-10746 [HIGH] CVE-2016-10746: libvirt - libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by ... libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability than CVE-2019-3886. Scope: local bookworm: resolved (fixed in 1.3.1-1) bullseye: resolved (fixed in 1.3.1-1) forky: resolved (fixed in 1.3.1-1) sid: resolved (fixed in

CVE-2015-5247 [MEDIUM] CVE-2015-5247: libvirt - The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows remote au... The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows remote authenticated users with a read-write connection to cause a denial of service (libvirtd crash) by triggering a failed unlink after creating a volume on a root_squash NFS pool. Scope: local bookworm: resolved (fixed in 1.2.20-1) bullseye: resolved (fixed in 1.2.20-1) forky: resolved (fixed

CVE-2015-5313 [LOW] CVE-2015-5313: libvirt - Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate fu... Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name. Scope: local bookworm: resolved (fix

CVE-2015-5160 [MEDIUM] CVE-2015-5160: libvirt - libvirt before 2.2 includes Ceph credentials on the qemu command line when using... libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing. Scope: local bookworm: resolved (fixed in 2.2.0-1) bullseye: resolved (fixed in 2.2.0-1) forky: resolved (fixed in 2.2.0-1) sid: resolved (fixed in 2.2.0-1) trixie: resolved (fi