6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.1%
The qemu guest agent creates files with insecure permissions when started in daemon mode.
The qemu guest agent is not used by default in Xen systems.
If it is used in a particular guest, unprivileged guest processes might be able to escalate their privilege to that of the guest.
We are not aware of any Xen installations using the qemu guest agent.
However, the program is built and installed (as the executable `qemu-ga’) as part of the Xen management tools by the Xen build system. It is possible that a system administrator, or downstream system integrator, might have arranged to execute qemu-ga.
If you have not taken steps to run qemu-ga, you are not vulnerable.