CVE-2020-14301

CVE Details

Release Date:	2021-05-27
Impact:	None	What is this?

Description

An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the dumpxml command.

See more information about CVE-2020-14301 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	6.5
Vector String:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version:	3.0
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	High
Integrity Impact:	None
Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (hivex)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libguestfs)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libguestfs-winsupport)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libiscsi)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libnbd)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libvirt)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libvirt-dbus)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (libvirt-python)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (nbdkit)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (netcf)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (perl-Sys-Virt)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (qemu-kvm)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (seabios)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (sgabios)	ELSA-2020-4676	2020-11-10
Oracle Linux version 8 (supermin)	ELSA-2020-4676	2020-11-10