libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:H/Au:N/C:P/I:N/A:N
Vendors Products
Redhat
  • Enterprise Linux
  • Enterprise Virtualization
  • Libvirt
Opensuse
  • Opensuse

Configuration 1 [-]

OR cpe:2.3:a:redhat:enterprise_virtualization:3.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:redhat:libvirt:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.5.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.1.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:libvirt:1.2.4:*:*:*:*:*:*:*
References
Link Resource
http://libvirt.org/news.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00052.html
http://rhn.redhat.com/errata/RHSA-2014-0560.html
http://secunia.com/advisories/60895
http://security.gentoo.org/glsa/glsa-201412-04.xml
http://security.libvirt.org/2014/0003.html Patch Vendor Advisory
http://www.ubuntu.com/usn/USN-2366-1
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-08-03T18:00:00

Updated: 2014-12-12T13:57:01

Reserved: 2014-08-03T00:00:00

Link: CVE-2014-5177

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2014-08-03T18:55:05.693

Modified: 2019-04-22T17:48:00.643

Link: CVE-2014-5177

JSON object: View

cve-icon Redhat Information

No data.

CWE