Unrated severityNVD Advisory· Published Jul 30, 2019· Updated Aug 4, 2024

CVE-2019-10161

Description

It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.

Affected products

Libvirt/Libvirtv5
Range: fixed in 4.10.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/202003-18mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/4047-2/mitrevendor-advisoryx_refsource_UBUNTU
access.redhat.com/libvirt-privesc-vulnerabilitiesmitrex_refsource_CONFIRM
bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
libvirt.org/git/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000