Improper access control in libvirt - CVE-2019-10161
Published: June 23, 2019
Vulnerability identifier: #VU18879
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10161
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: libvirt.org
Affected software:
libvirt
libvirt
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions in libvirtd that allow read-only clients to use the virDomainSaveImageGetXMLDesc() API. A local user with read-only access to the libvirtd socket can confirm presence of arbitrary files on the system, trigger denial of service condition or execute arbitrary applications on the affected system.
How to mitigate CVE-2019-10161
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.