Vulnerability Details : CVE-2020-14339
A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Products affected by CVE-2020-14339
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
- cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-14339
Top countries where our scanners detected CVE-2020-14339
Top open port discovered on systems with this issue
53
IPs affected by CVE-2020-14339 61,437
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-14339!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-14339
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-14339
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
2.0
|
6.0
|
NIST |
CWE ids for CVE-2020-14339
-
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2020-14339
-
https://security.gentoo.org/glsa/202210-06
libvirt: Multiple Vulnerabilities (GLSA 202210-06) — Gentoo securityThird Party Advisory
-
https://security.gentoo.org/glsa/202101-22
libvirt: Unintended access to /dev/mapper/control (GLSA 202101-22) — Gentoo securityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1860069
1860069 – (CVE-2020-14339) CVE-2020-14339 libvirt: leak of /dev/mapper/control into QEMU guestsIssue Tracking;Patch;Third Party Advisory
Jump to