Vulnerability CVE-2010-3851


Published: 2010-11-04   Modified: 2012-02-13

Description:
libguestfs before 1.5.23, as used in virt-v2v, virt-inspector 1.5.3 and earlier, and possibly other products, when a raw-format disk image is used, allows local guest OS administrators to read files from the host via a crafted (1) qcow2, (2) VMDK, or (3) VDI header, related to lack of support for a disk format specifier.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:L/AC:M/Au:N/C:C/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.7/10
6.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
None
None
Affected software
Libguestfs -> Libguestfs 

 References:
https://www.redhat.com/archives/libguestfs/2010-October/msg00041.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050237.html
https://www.redhat.com/archives/libguestfs/2010-October/msg00037.html
https://www.redhat.com/archives/libguestfs/2010-October/msg00036.html
https://bugzilla.redhat.com/show_bug.cgi?id=643958
http://www.vupen.com/english/advisories/2010/2963
http://www.vupen.com/english/advisories/2010/2874
http://www.securityfocus.com/bid/44166
http://www.redhat.com/support/errata/RHSA-2011-0586.html
http://secunia.com/advisories/42235
http://secunia.com/advisories/41797
http://rwmj.wordpress.com/2010/10/23/new-libguestfs-stable-versions/
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050742.html

Copyright 2024, cxsecurity.com

 

Back to Top