OS Command Injection Affecting qemu package, versions *


low

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.47% (75th percentile)
Expand this section
NVD
9.8 critical
Expand this section
Red Hat
0 info

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN12-QEMU-1558233
  • published 1 Jul 2019
  • disclosed 24 Jun 2019

How to fix?

There is no fixed version for Debian:12 qemu.

NVD Description

Note: Versions mentioned in the description apply only to the upstream qemu package and not the qemu package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

References