Improper Access Control Affecting qemu-img package, versions <15:2.12.0-64.module+el8.0.0.z+3418+a72cf898.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS8-QEMUIMG-1985456
- published 26 Jul 2021
- disclosed 20 Jun 2019
How to fix?
Upgrade Centos:8 qemu-img to version 15:2.12.0-64.module+el8.0.0.z+3418+a72cf898.2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream qemu-img package and not the qemu-img package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.