CVE-2018-16867
HIGHqemu < 3.1.0 - Path Traversal and Arbitrary File Write via MTP Filename Sanitization
Title source: llmDescription
A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host.
References (5)
Core 5
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16867
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106195
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
https://www.openwall.com/lists/oss-security/2018/12/06/1
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGCFIFSIWUREEQQOZDZFBYKWZHXCWBZN/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3923-1/
Scores
CVSS v3
7.8
EPSS
0.0014
EPSS Percentile
33.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-362
Status
published
Products (7)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
18.10
fedoraproject/fedora
29
qemu/qemu
3.1.0 rc0 (4 CPE variants)
qemu/qemu
< 3.0.0
Published
Dec 12, 2018
Tracked Since
Feb 18, 2026