5.7 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2.7 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:L/Au:S/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
16.5%
qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a
monitor job during a query to a guest agent, which allows attackers to
cause a denial of service (API blockage).
Author | Note |
---|---|
mdeslaur | it appears this CVE is only for the suspend job because it is the only one that doesn’t require write permissions. In libvirt in bionic and older, there was no support for running both agent monitor jobs and normal monitor jobs at the same. Support for doing so was introduced in the following commit: https://gitlab.com/libvirt/libvirt/-/commit/4621350f6d3dbca57bbd97829ff5d4efc3a51c97 As such, it would not appear that a malicious guest agent would be able to block jobs in bionic and earlier, so marking as not-affected. |
5.7 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2.7 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:L/Au:S/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
16.5%