CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-0358 – QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405
https://notcve.org/view.php?id=CVE-2022-0358
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system. • https://access.redhat.com/security/cve/CVE-2022-0358 https://bugzilla.redhat.com/show_bug.cgi?id=2044863 https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca https://security.netapp.com/advisory/ntap-20221007-0008 • CWE-273: Improper Check for Dropped Privileges •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-4158 – QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c
https://notcve.org/view.php?id=CVE-2021-4158
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. Se ha encontrado un problema de desreferencia de puntero NULL en el código ACPI de QEMU. Un usuario malicioso y con privilegios dentro del huésped podía usar este fallo para bloquear el proceso de QEMU en el host, resultando en una situación de denegación de servicio. • https://access.redhat.com/security/cve/CVE-2021-4158 https://bugzilla.redhat.com/show_bug.cgi?id=2035002 https://gitlab.com/qemu-project/qemu/-/commit/9bd6565ccee68f72d5012e24646e12a1c662827e https://gitlab.com/qemu-project/qemu/-/issues/770 https://www.mail-archive.com/qemu-devel%40nongnu.org/msg857944.html • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-3947
https://notcve.org/view.php?id=CVE-2021-3947
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. Se ha encontrado un desbordamiento de pila en QEMU en el componente NVME. El fallo es encontrado en nvme_changed_nslist(), donde un huésped malicioso que controle determinadas entradas puede leer memoria fuera de límites. • https://bugzilla.redhat.com/show_bug.cgi?id=2021869 https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220318-0003 • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2021-3930 – QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c
https://notcve.org/view.php?id=CVE-2021-3930
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. Se ha encontrado un error "off-by-one" en la emulación de dispositivos SCSI en QEMU. Podía ocurrir mientras eran procesados comandos MODE SELECT en mode_sense_page() si el argumento "page" era establecido como MODE_PAGE_ALLS (0x3f). • https://bugzilla.redhat.com/show_bug.cgi?id=2020588 https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220225-0007 https://access.redhat.com/security/cve/CVE-2021-3930 • CWE-193: Off-by-one Error •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2021-3748 – QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu
https://notcve.org/view.php?id=CVE-2021-3748
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. Se ha encontrado una vulnerabilidad de uso de memoria previamente liberada en el dispositivo virtio-net de QEMU. Podría ocurrir cuando la dirección del descriptor pertenece a la región de acceso no directo, debido a que num_buffers es establecido después de que el elemento virtqueue haya sido desmapeado. • https://bugzilla.redhat.com/show_bug.cgi?id=1998514 https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg00388.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220425-0004 https://ubuntu.com/security/CVE-2021-3748 https://access. • CWE-416: Use After Free •