CVE-2020-10701

2021-05-2719:15:07

Google

osv.dev

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.196 Low

EPSS

Percentile

96.2%

JSON

A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0.

CPENameOperatorVersion
libvirteq2.4.0-rc2
libvirteq0.7.0
libvirteq0.9.13
libvirteqCVE-2011-1146
libvirteqCVE-2014-1447-2
libvirteqCVE-2012-3445
libvirteqCVE-2012-4423
libvirteq1.1.1-rc1
libvirteq1.2.13
libvirteq1.3.4-rc2

Name	Operator	Version
libvirt	eq	2.4.0-rc2
libvirt	eq	0.7.0
libvirt	eq	0.9.13
libvirt	eq	CVE-2011-1146
libvirt	eq	CVE-2014-1447-2
libvirt	eq	CVE-2012-3445
libvirt	eq	CVE-2012-4423
libvirt	eq	1.1.1-rc1
libvirt	eq	1.2.13
libvirt	eq	1.3.4-rc2