CVE-2020-10701

EUVD-2020-3132

27.05.2021, 19:15

A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Affected Products (NVD)

Vendor	Product	Version
redhat	libvirt	𝑥 < 6.2.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libvirt

bookworm	9.0.0-4+deb12u1 fixed
bullseye	7.0.0-3+deb11u3 fixed
buster	not-affected
jessie	not-affected
sid	10.9.0-1 fixed
stretch	not-affected
trixie	10.9.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libvirt

bionic	not-affected
eoan	not-affected
trusty	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1819163

https://security.netapp.com/advisory/ntap-20210708-0001/

https://bugzilla.redhat.com/show_bug.cgi?id=1819163

https://security.netapp.com/advisory/ntap-20210708-0001/