CVE-2015-5160

MEDIUM

libvirt < 2.2 - Exposure of Sensitive Information via Ceph Credentials in qemu Command Line

Title source: llm
STIX 2.1

Description

libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing.

References (5)

Core 5
Core References
Third Party Advisory x_refsource_confirm
https://wiki.openstack.org/wiki/OSSN/OSSN-0079
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1245647
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2577.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/ossn/+bug/1686743
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/07/21/3

Scores

CVSS v3 5.5
EPSS 0.0041
EPSS Percentile 32.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (20)
libvirt/libvirt < 2.2
redhat/enterprise_linux 5
redhat/enterprise_linux 6.0
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_eus 7.3
redhat/enterprise_linux_eus 7.4
redhat/enterprise_linux_eus 7.5
redhat/enterprise_linux_eus 7.6
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.3
... and 10 more
Published Aug 20, 2018
Tracked Since Feb 18, 2026