CVSS: 6.7EPSS: 0%CPEs: 6EXPL: 0CVE-2020-13754 – QEMU: msix: OOB access during mmio operations may lead to DoS
https://notcve.org/view.php?id=CVE-2020-13754
02 Jun 2020 — hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. En el archivo hw/pci/msix.c en QEMU versión 4.2.0, permite a usuarios invitados del SO desencadenar un acceso fuera de límites por medio de una dirección diseñada en una operación msi-x mmio. An out-of-bounds access flaw was found in the Message Signalled Interrupt (MSI-X) device support of QEMU. This issue occurs while performing MSI-X mmio operations when a guest sent addr... • http://www.openwall.com/lists/oss-security/2020/06/01/6 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 3.2EPSS: 0%CPEs: 8EXPL: 0CVE-2020-13362 – Debian Security Advisory 4728-1
https://notcve.org/view.php?id=CVE-2020-13362
28 May 2020 — In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. En QEMU versión 5.0.0 y versiones anteriores, la función megasas_lookup_frame en el archivo hw/scsi/megasas.c presenta una lectura fuera de límites mediante el campo reply_queue_head desde un usuario invitado del Sistema Operativo. Ziming Zhang and VictorV discovered that the QEMU SLiRP networking implementation incorrectly handled replying to certain ICMP... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html • CWE-125: Out-of-bounds Read •
CVSS: 3.9EPSS: 0%CPEs: 8EXPL: 0CVE-2020-13361 – Debian Security Advisory 4728-1
https://notcve.org/view.php?id=CVE-2020-13361
28 May 2020 — In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. En QEMU versión 5.0.0 y versiones anteriores, la función es1370_transfer_audio en el archivo hw/audio/es1370.c no comprueba apropiadamente el conteo de tramas, lo que permite a usuarios invitados del Sistema Operativo desencadenar un acceso fuera de límites durante una operación es1370_write(). Zim... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-13253 – Gentoo Linux Security Advisory 202011-09
https://notcve.org/view.php?id=CVE-2020-13253
27 May 2020 — sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. En la función sd_wp_addr en el archivo hw/sd/sd.c en QEMU versión 4.2.0, utiliza una dirección no comprobada, lo que conlleva a una lectura fuera de límites durante las operaciones sdhci_write(). Un usuario del Sistema Operativo invitado puede bloquear el proceso QEMU. Ziming Zhang and VictorV discovered that the QEMU SLiRP netw... • http://www.openwall.com/lists/oss-security/2020/05/27/2 • CWE-125: Out-of-bounds Read •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2019-12929
https://notcve.org/view.php?id=CVE-2019-12929
24 Jun 2019 — The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue **EN DISPUTA** El comando QMP guest_e... • https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12928
https://notcve.org/view.php?id=CVE-2019-12928
24 Jun 2019 — The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue ** EN DISPUTA ** El ... • https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 1CVE-2019-8934
https://notcve.org/view.php?id=CVE-2019-8934
17 Mar 2019 — hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. hw/ppc/spapr.c en QEMU, hasta la versión 3.1.0, permite la exposición de información debido a que el hipervisor comparte los atributos del sistema en /proc/device-tree/system-id and /proc/device-tree/model con un invitado. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00094.html • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2018-20191 – Ubuntu Security Notice USN-3923-1
https://notcve.org/view.php?id=CVE-2018-20191
20 Dec 2018 — hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). hw/rdma/vmw/pvrdma_main.c en QEMU no implementa una operación de lectura (como uar_read por analogía con uar_write), lo que permite que los atacantes provoquen una denegación de servicio (desreferencia de puntero NULL). Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol. An attack... • http://www.openwall.com/lists/oss-security/2018/12/18/1 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-20124 – Ubuntu Security Notice USN-3923-1
https://notcve.org/view.php?id=CVE-2018-20124
20 Dec 2018 — hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. hw/rdma/rdma_backend.c en QEMU permite que los usuarios invitados del sistema operativo desencadenen un acceso fuera de límites mediante un elemento de anillo PvrdmaSqWqe con un valor num_sge grande. Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol. An attacker inside the guest could use this issue to read or write arbitrary fi... • http://www.openwall.com/lists/oss-security/2018/12/18/2 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2018-20126 – Ubuntu Security Notice USN-3923-1
https://notcve.org/view.php?id=CVE-2018-20126
20 Dec 2018 — hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. hw/rdma/vmw/pvrdma_cmd.c en QEMU permite filtrados de memoria en create_cq y create_qp debido a la gestión incorrecta de los errores. Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol. An attacker inside the guest could use this issue to read or write arbitrary files and cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html • CWE-772: Missing Release of Resource after Effective Lifetime •