CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1711 – QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server
https://notcve.org/view.php?id=CVE-2020-1711
03 Feb 2020 — An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. Se detectó una fallo de acceso al búfer de la pila fuera de l... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20175
https://notcve.org/view.php?id=CVE-2019-20175
31 Dec 2019 — An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert. ** ... • https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 3CVE-2013-2016
https://notcve.org/view.php?id=CVE-2013-2016
30 Dec 2019 — A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. Se encontró un fallo en la manera en que qemu versión v1.3.0 y posteriores (virtio-rng) comprueba las direcciones cuando el invitado accede al espacio de c... • http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00002.html • CWE-269: Improper Privilege Management •
CVSS: 3.8EPSS: 0%CPEs: 15EXPL: 0CVE-2019-12068 – Debian Security Advisory 4665-1
https://notcve.org/view.php?id=CVE-2019-12068
24 Sep 2019 — In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. En QEMU versiones 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2019-13164 – Debian Security Advisory 4512-1
https://notcve.org/view.php?id=CVE-2019-13164
03 Jul 2019 — qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. qemu-bridge-helper.c en QEMU versión 3.1 y 4.0.0 no garantiza que un nombre de interfaz de red (obtenido de bridge.conf o una opción --br = bridge) esté limitado al tamaño de IFNAMSIZ, lo que puede llevar a una derivación de ACL. It was discovered that the LSI SCSI adapter emulator implementation in QEMU... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.html •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 1CVE-2019-12929
https://notcve.org/view.php?id=CVE-2019-12929
24 Jun 2019 — The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue **EN DISPUTA** El comando QMP guest_e... • https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 1CVE-2019-12928
https://notcve.org/view.php?id=CVE-2019-12928
24 Jun 2019 — The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue ** EN DISPUTA ** El ... • https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2019-12155 – QEMU: qxl: null pointer dereference while releasing spice resources
https://notcve.org/view.php?id=CVE-2019-12155
24 May 2019 — interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. interface_release_resource en hw/display/qxl.c en QEMU versión 3.1.x hasta la versión 4.0.0 tiene una desreferencia en puntero NULL. It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. Sergej Schumilo, Cornelius Aschermann and Simon Woerner discovered that the qxl paravirtua... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12247
https://notcve.org/view.php?id=CVE-2019-12247
22 May 2019 — QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable ** EN DISPUTA ** QEMU 3.0.0 tiene un desbordamiento de enteros (Integer Overflow) porque los archivos qga / command * .c no verifican la longitud de la lista de argumentos o el número de variables de entorno. NOTA: esta vulnerabilidad está siendo discutida como no explotable. • http://www.securityfocus.com/bid/108434 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2018-20815 – QEMU: device_tree: heap buffer overflow while loading device tree blob
https://notcve.org/view.php?id=CVE-2018-20815
25 Apr 2019 — In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. En QEMU versión 3.1.0, la función load_device_tree en el archivo device_tree.c llama a la función en desuso load_image, que tiene un riesgo de desbordamiento de búfer. A heap buffer overflow issue was found in the load_device_tree() function of QEMU, which is invoked to load a device tree blob at boot time. It occurs due to device tree size manipulation before buffer allocation, which... • https://access.redhat.com/errata/RHSA-2019:1667 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •