PT-2014-6316 · Libvirt+4 · Libvirt+4
Daniel P. Berrange
+1
·
Publicado
2014-06-02
·
Atualizado
2019-04-22
·
CVE-2014-5177
CVSS v2.0
1.2
Baixa
| Vetor | AV:L/AC:H/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
libvirt versions 1.0.0 through 1.2.x before 1.2.5
Description
The issue allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to various API methods, including
virDomainDefineXML, virNetworkCreateXML, virNetworkDefineXML, virStoragePoolCreateXML, virStoragePoolDefineXML, virStorageVolCreateXML, virDomainCreateXML, virNodeDeviceCreateXML, virInterfaceDefineXML, virStorageVolCreateXMLFrom, virConnectDomainXMLFromNative, virConnectDomainXMLToNative, virSecretDefineXML, virNWFilterDefineXML, virDomainSnapshotCreateXML, virDomainSaveImageDefineXML, virDomainCreateXMLWithFiles, virConnectCompareCPU, or virConnectBaselineCPU. This is related to an XML External Entity (XXE) issue.Recommendations
For libvirt versions 1.0.0 through 1.2.x before 1.2.5, consider disabling the fine grained access control feature until a patch is available. Restrict access to the API methods listed above to minimize the risk of exploitation. Avoid using crafted XML documents that contain XML external entity declarations.
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Centos
Red Hat
Ubuntu
Libvirt