CVE-2014-5177

Redhat Enterprise Virtualization - Improper Input Validation

Title source: rule
STIX 2.1

Description

libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0560.html
Various Sources x_refsource_confirm
http://libvirt.org/news.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60895
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201412-04.xml
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-05/msg00052.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2366-1
Patch, Vendor Advisory x_refsource_confirm
http://security.libvirt.org/2014/0003.html

Scores

EPSS 0.0053
EPSS Percentile 41.0%

Details

CWE
CWE-20
Status published
Products (27)
opensuse/opensuse 12.3
opensuse/opensuse 13.1
redhat/enterprise_linux 6.0
redhat/enterprise_virtualization 3.0
redhat/libvirt 1.0.0
redhat/libvirt 1.0.1
redhat/libvirt 1.0.2
redhat/libvirt 1.0.3
redhat/libvirt 1.0.4
redhat/libvirt 1.0.5
... and 17 more
Published Aug 03, 2014
Tracked Since Feb 18, 2026