CVE-2017-1000256
HIGHlibvirt 2.3.0-3.8.0 - Improper Certificate Validation via QEMU verify-peer=no Default
Title source: llmDescription
libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default.
References (4)
Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://access.redhat.com/security/cve/CVE-2017-1000256
Issue Tracking, Vendor Advisory mailing-list
x_refsource_mlist
https://www.redhat.com/archives/libvirt-announce/2017-October/msg00001.html
Mailing List x_refsource_misc
https://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg1556251.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-4003
Scores
CVSS v3
8.1
EPSS
0.0170
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-295
Status
published
Products (2)
debian/debian_linux
9.0
redhat/libvirt
2.3.0 - 3.9.0
Published
Oct 31, 2017
Tracked Since
Feb 18, 2026