An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Netapp
  • Ontap Select Deploy Administration Utility
Redhat
  • Advanced Virtualization
  • Codeready Linux Builder
  • Enterprise Linux
  • Enterprise Linux Eus
  • Enterprise Linux For Ibm Z Systems
  • Enterprise Linux For Ibm Z Systems Eus
  • Enterprise Linux For Power Little Endian
  • Enterprise Linux For Power Little Endian Eus
  • Enterprise Linux Server Aus
  • Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
  • Enterprise Linux Server Update Services For Sap Solutions
  • Enterprise Linux Tus
  • Libvirt

Configuration 1 [-]

cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_tus:8.4:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Advanced Virtualization for RHEL 8.2.1
virt:8.2-8020120200707202843.11e3e113 cpe:/a:redhat:advanced_virtualization:8.2::el8 RHBA-2020:3172 2020-07-28T00:00:00Z
virt-devel:8.2-8020120200707202843.11e3e113 cpe:/a:redhat:advanced_virtualization:8.2::el8 RHBA-2020:3172 2020-07-28T00:00:00Z
Red Hat Enterprise Linux 8
virt-devel:rhel-8030020200909014558.30b713e6 cpe:/a:redhat:enterprise_linux:8 RHSA-2020:4676 2020-11-04T00:00:00Z
virt:rhel-8030020200909014558.30b713e6 cpe:/a:redhat:enterprise_linux:8 RHSA-2020:4676 2020-11-04T00:00:00Z
References
Link Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1848640 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-14301 cve-icon
https://security.netapp.com/advisory/ntap-20210629-0007/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-14301 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-05-27T19:44:34

Updated: 2024-08-04T12:39:36.274Z

Reserved: 2020-06-17T00:00:00

Link: CVE-2020-14301

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-05-27T20:15:07.727

Modified: 2024-11-21T05:02:57.587

Link: CVE-2020-14301

cve-icon Redhat

Severity : Low

Publid Date: 2020-04-14T00:00:00Z

Links: CVE-2020-14301 - Bugzilla