8.8

CVE-2020-14339

EPSS 0.07%
Published 03.12.2020 17:15:12
Last modified 21.11.2024 05:03:02
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Libvirt Version >= 6.2.0 < 6.7.0

Redhat ≫ Enterprise Linux Version8.0 SwEditionadvanced_virtualization

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.224

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

https://security.gentoo.org/glsa/202210-06

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1860069

Patch

Third Party Advisory

Issue Tracking

https://security.gentoo.org/glsa/202101-22

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-14339

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-14339

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-14339

EUVD