CVE-2019-12929
Published: 24 June 2019
** DISPUTED ** The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue.
Notes
Author | Note |
---|---|
mdeslaur | marking as ignored as this is working as designed and should not be used by non-trusted users |
Priority
Status
Package | Release | Status |
---|---|---|
qemu Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
cosmic |
Ignored
|
|
disco |
Ignored
|
|
trusty |
Ignored
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
|
|
qemu-kvm Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |