Vulnerability Details : CVE-2013-4401
The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:read permission instead of the connect:write permission, which allows attackers to gain domain:write privileges and execute Qemu binaries via crafted XML. NOTE: some of these details are obtained from third party information.
Products affected by CVE-2013-4401
- cpe:2.3:a:redhat:libvirt:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:libvirt:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:libvirt:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:libvirt:1.1.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4401
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4401
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.5
|
HIGH | AV:N/AC:M/Au:S/C:C/I:C/A:C |
6.8
|
10.0
|
NIST |
CWE ids for CVE-2013-4401
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4401
-
http://www.ubuntu.com/usn/USN-2026-1
USN-2026-1: libvirt vulnerability | Ubuntu security notices
-
https://bugzilla.redhat.com/show_bug.cgi?id=1015259
1015259 – (CVE-2013-4401) CVE-2013-4401 libvirt: unintended API access due to incorrect permissions checksPatch
-
http://wiki.libvirt.org/page/Maintenance_Releases
Maintenance Releases - Libvirt Wiki
-
http://security.gentoo.org/glsa/glsa-201412-04.xml
libvirt: Multiple vulnerabilities (GLSA 201412-04) — Gentoo security
-
http://www.securitytracker.com/id/1029241
libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service - SecurityTracker
-
http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
libvirt.org Git
Jump to