CVE-2019-3886 - OpenCVE

An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:A/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Opensuse	Leap
Redhat	Libvirt
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:fedoraproject:fedora:29:::::::*
	cpe:2.3:o:fedoraproject:fedora:30:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00105.html	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/107777	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHBA-2019:3723	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3886	Exploit Issue Tracking Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYMNKXAUBZCFBBPFH64FJPH5EJH4GSU2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5DHYIFECZ7BMVXK4EP4FDFZXK7I5MZH/
https://usn.ubuntu.com/4021-1/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2019-04-04T00:00:00

Updated: 2022-10-07T00:00:00

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3886

JSON object: View

NVD Information

Status : Modified

Published: 2019-04-04T16:29:03.430

Modified: 2023-02-12T23:38:40.910

Link: CVE-2019-3886

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-3886", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2022-10-07T00:00:00", "dateReserved": "2019-01-03T00:00:00", "datePublished": "2019-04-04T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block."}], "affected": [{"vendor": "The libvirt Project", "product": "libvirt", "versions": [{"version": "4.8.0 and above", "status": "affected"}]}], "references": [{"name": "107777", "tags": ["vdb-entry"], "url": "http://www.securityfocus.com/bid/107777"}, {"name": "openSUSE-SU-2019:1294", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00105.html"}, {"name": "USN-4021-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4021-1/"}, {"name": "FEDORA-2019-b2dfb13daf", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5DHYIFECZ7BMVXK4EP4FDFZXK7I5MZH/"}, {"name": "FEDORA-2019-9210998aaa", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYMNKXAUBZCFBBPFH64FJPH5EJH4GSU2/"}, {"name": "RHBA-2019:3723", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:3723"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3886"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-862", "cweId": "CWE-862"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6E44C87-EA6E-4EA1-B908-8C13B298D6A2", "versionEndExcluding": "5.3.0", "versionStartIncluding": "4.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block."}, {"lang": "es", "value": "Se ha descubierto una comprobaci\u00f3n de permisos incorrecta en versiones de libvirt 4.8.0 y superiores. Se ha permitido que el permiso de solo lectura invoque API dependiendo del agente invitado, lo que podr\u00eda conducir a una potencial divulgaci\u00f3n de informaci\u00f3n no intencionada o una denegaci\u00f3n de servicio (DoS) provocando un bloqueo de libvirt."}], "id": "CVE-2019-3886", "lastModified": "2023-02-12T23:38:40.910", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-04T16:29:03.430", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00105.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107777"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:3723"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3886"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYMNKXAUBZCFBBPFH64FJPH5EJH4GSU2/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5DHYIFECZ7BMVXK4EP4FDFZXK7I5MZH/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4021-1/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}