Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-10701

A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0.

Published

2021-05-27T19:15:07.767

Last Modified

2024-11-21T04:55:53.080

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	libvirt	< 6.2.0	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1819163 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20210708-0001/ Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1819163 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210708-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)