Vulnerability Details : CVE-2020-10761
An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.
Vulnerability category: Denial of service
Products affected by CVE-2020-10761
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-10761
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-10761
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
5.0
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
3.1
|
1.4
|
Red Hat, Inc. | |
5.0
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
3.1
|
1.4
|
NIST |
CWE ids for CVE-2020-10761
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2020-10761
-
https://www.openwall.com/lists/oss-security/2020/06/09/1
oss-security - CVE-2020-10761 QEMU: nbd: reachable assertion failure innbd_negotiate_send_rep_verr via remote clientMailing List;Patch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761
1843707 – (CVE-2020-10761) CVE-2020-10761 QEMU: nbd: reachable assertion failure in nbd_negotiate_send_rep_verr via remote clientIssue Tracking;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html
[security-announce] openSUSE-SU-2020:1108-1: important: Security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202011-09
QEMU: Multiple vulnerabilities (GLSA 202011-09) — Gentoo securityThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20200731-0001/
CVE-2020-10761 QEMU Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://usn.ubuntu.com/4467-1/
USN-4467-1: QEMU vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
Jump to