CVE-2019-3886
Published: 4 April 2019
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
Notes
| Author | Note |
|---|---|
| mdeslaur | only a DoS, no information disclosure |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libvirt Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| cosmic |
Not vulnerable
(code not present)
|
|
| disco |
Released
(5.0.0-1ubuntu2.3)
|
|
| eoan |
Released
(5.4.0-0ubuntu1)
|
|
| focal |
Released
(5.4.0-0ubuntu1)
|
|
| groovy |
Released
(5.4.0-0ubuntu1)
|
|
| hirsute |
Released
(5.4.0-0ubuntu1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(5.0.0-2)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240 upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.4 |
| Attack vector | Adjacent |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |