CVE-2020-14301

MEDIUM

libvirt < 6.3.0 - Information Disclosure via HTTP Cookie Exposure in dumpxml Command

Title source: llm
STIX 2.1

Description

An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.

References (2)

Core 2
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1848640
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210629-0007/

Scores

CVSS v3 6.5
EPSS 0.0120
EPSS Percentile 64.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-212
Status published
Products (13)
netapp/ontap_select_deploy_administration_utility
redhat/codeready_linux_builder
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.4
redhat/enterprise_linux_for_ibm_z_systems 8.0
redhat/enterprise_linux_for_ibm_z_systems_eus 8.4
redhat/enterprise_linux_for_power_little_endian 8.0
redhat/enterprise_linux_for_power_little_endian_eus 8.4
redhat/enterprise_linux_server_aus 8.4
redhat/enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
... and 3 more
Published May 27, 2021
Tracked Since Feb 18, 2026