CVE-2013-4401

2013-11-0218:55:03

CWE-264

redhat

web.nvd.nist.gov

libvirt

cve-2013-4401

information security

vulnerability

api

nvd

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

AI Score

8.6

Confidence

High

EPSS

0.004

Percentile

73.3%

JSON

The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:read permission instead of the connect:write permission, which allows attackers to gain domain:write privileges and execute Qemu binaries via crafted XML. NOTE: some of these details are obtained from third party information.

Affected configurations

Nvd

Node

redhatlibvirtMatch1.1.0

redhatlibvirtMatch1.1.1

redhatlibvirtMatch1.1.2

redhatlibvirtMatch1.1.3

VendorProductVersionCPE
redhatlibvirt1.1.1cpe:/a:redhat:libvirt:1.1.1:::
redhatlibvirt1.1.2cpe:/a:redhat:libvirt:1.1.2:::
redhatlibvirt1.1.0cpe:/a:redhat:libvirt:1.1.0:::
redhatlibvirt1.1.3cpe:/a:redhat:libvirt:1.1.3:::

Vendor	Product	Version	CPE
redhat	libvirt	1.1.1	cpe:/a:redhat:libvirt:1.1.1:::
redhat	libvirt	1.1.2	cpe:/a:redhat:libvirt:1.1.2:::
redhat	libvirt	1.1.0	cpe:/a:redhat:libvirt:1.1.0:::
redhat	libvirt	1.1.3	cpe:/a:redhat:libvirt:1.1.3:::