Privilege escalation in Red Hat Virtualization Host and Red Hat Virtualization - CVE-2018-10874
Published: July 31, 2018 / Updated: August 1, 2018
Vulnerability identifier: #VU14157
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear
CVE-ID: CVE-2018-10874
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
Red Hat Virtualization Host
Red Hat Virtualization
Red Hat Virtualization Host
Red Hat Virtualization
Detailed vulnerability description
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to the system reads the 'ansible.cfg' file from the current working directory when running an ad-hoc command. A local attacker can modify the file to reference arbitrary plugin or module paths and execute arbitrary code from those paths with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2018-10874
Install update from vendor's website.