Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-14339

A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Published

2020-12-03T17:15:12.207

Last Modified

2024-11-21T05:03:02.640

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-772
Type: Secondary
CWE-772

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	libvirt	< 6.7.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1860069 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202101-22 Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202210-06 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1860069 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202101-22 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202210-06 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)