CVE-2020-14301 - Vulnerability Details

An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	Ontap Select Deploy Administration Utility
Redhat	Advanced Virtualization Codeready Linux Builder Enterprise Linux Enterprise Linux Eus Enterprise Linux For Ibm Z Systems Enterprise Linux For Ibm Z Systems Eus Enterprise Linux For Power Little Endian Enterprise Linux For Power Little Endian Eus Enterprise Linux Server Aus Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Enterprise Linux Server Update Services For Sap Solutions Enterprise Linux Tus Libvirt

Configuration 1 [-]

cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_tus:8.4:::::::*

Configuration 3 [-]

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:::::::*

Package	CPE	Advisory	Released Date
Advanced Virtualization for RHEL 8.2.1
virt:8.2-8020120200707202843.11e3e113	cpe:/a:redhat:advanced_virtualization:8.2::el8	RHBA-2020:3172	2020-07-28T00:00:00Z
virt-devel:8.2-8020120200707202843.11e3e113	cpe:/a:redhat:advanced_virtualization:8.2::el8	RHBA-2020:3172	2020-07-28T00:00:00Z
Red Hat Enterprise Linux 8
virt-devel:rhel-8030020200909014558.30b713e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:4676	2020-11-04T00:00:00Z
virt:rhel-8030020200909014558.30b713e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:4676	2020-11-04T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1848640
https://nvd.nist.gov/vuln/detail/CVE-2020-14301
https://security.netapp.com/advisory/ntap-20210629-0007/
https://www.cve.org/CVERecord?id=CVE-2020-14301

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-05-27T19:44:34

Updated: 2024-08-04T12:39:36.274Z

Reserved: 2020-06-17T00:00:00

Link: CVE-2020-14301

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-27T20:15:07.727

Modified: 2024-11-21T05:02:57.587

Link: CVE-2020-14301

Redhat

Severity : Low

Publid Date: 2020-04-14T00:00:00Z

Links: CVE-2020-14301 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object