CVE-2019-8934

LOW

Qemu < 3.1.0 - Exposure to Wrong Actor

Title source: rule

Description

hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

References (6)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00094.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00040.html

[Mailing List, Patch] http://www.openwall.com/lists/oss-security/2019/02/21/1

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107115

[Exploit, Mailing List, Patch, Third Party Advisory] https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20190411-0006/

Scores

CVSS v3 3.3

EPSS 0.0010

EPSS Percentile 28.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (3)

qemu/qemu < 3.1.0

opensuse/leap

Timeline

Published Mar 21, 2019

Tracked Since Feb 18, 2026