CVE-2021-3667

2022-03-0223:15:08

Google

osv.dev

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.196 Low

EPSS

Percentile

96.2%

JSON

An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.

CPENameOperatorVersion
libvirteq2.4.0-rc2
libvirteq0.7.0
libvirteq0.9.13
libvirteqCVE-2011-1146
libvirteqCVE-2014-1447-2
libvirteqCVE-2012-3445
libvirteqCVE-2012-4423
libvirteq7.2.0-rc2
libvirteq7.0.0-rc1
libvirteq7.4.0

Name	Operator	Version
libvirt	eq	2.4.0-rc2
libvirt	eq	0.7.0
libvirt	eq	0.9.13
libvirt	eq	CVE-2011-1146
libvirt	eq	CVE-2014-1447-2
libvirt	eq	CVE-2012-3445
libvirt	eq	CVE-2012-4423
libvirt	eq	7.2.0-rc2
libvirt	eq	7.0.0-rc1
libvirt	eq	7.4.0