An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.

References[email protected]/message/CYMNKXAUBZCFBBPFH64FJPH5EJH4GSU2/[email protected]/message/R5DHYIFECZ7BMVXK4EP4FDFZXK7I5MZH/


Source: MITRE

Published: 2019-04-04

Updated: 2019-06-19

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 4.8

Vector: AV:A/AC:L/Au:N/C:P/I:N/A:P

Impact Score: 4.9

Exploitability Score: 6.5

Severity: MEDIUM

CVSS v3.0

Base Score: 5.4

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Impact Score: 2.5

Exploitability Score: 2.8

Severity: MEDIUM