ID CVE-2019-13164
Summary qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
References
Vulnerable Configurations
  • cpe:2.3:a:qemu:qemu:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:qemu:qemu:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:qemu:qemu:4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:qemu:qemu:4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
CVSS
Base: 4.6 (as of 06-10-2022 - 19:51)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:P/A:P
refmap via4
bid 109054
bugtraq
  • 20190825 [SECURITY] [DSA 4506-1] qemu security update
  • 20190902 [SECURITY] [DSA 4512-1] qemu security update
debian
  • DSA-4506
  • DSA-4512
gentoo GLSA-202003-66
misc
mlist
  • [debian-lts-announce] 20190920 [SECURITY] [DLA 1927-1] qemu security update
  • [oss-security] 20190703 CVE-2019-13164 Qemu: qemu-bridge-helper ACL bypassed with long interface names
suse
  • openSUSE-SU-2019:2041
  • openSUSE-SU-2019:2059
ubuntu
  • USN-4191-1
  • USN-4191-2
Last major update 06-10-2022 - 19:51
Published 03-07-2019 - 14:15
Last modified 06-10-2022 - 19:51
Back to Top