Description
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
References (5)
Core 5
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10161
Third Party Advisory x_refsource_confirm
https://access.redhat.com/libvirt-privesc-vulnerabilities
Various Sources x_refsource_confirm
https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=aed6a032cead4386472afb24b16196579e239580
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4047-2/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-18
Scores
CVSS v3
7.8
EPSS
0.0026
EPSS Percentile
49.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-862
CWE-22
Status
published
Products (7)
canonical/ubuntu_linux
14.04
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
redhat/libvirt
< 4.10.1
redhat/virtualization
4.0
redhat/virtualization_host
4.0
Published
Jul 30, 2019
Tracked Since
Feb 18, 2026