CVE-2015-5313

libvirt: filesystem storage volume names path traversal flaw

Severity Score

2.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name.

Vulnerabilidad de salto de directorio en la función virStorageBackendFileSystemVolCreate en storage/storage_backend_fs.c en libvirt, cuando Access Control Lists (ACL) detalladas están en vigor, permite a usuarios locales con permiso storage_vol:create ACL pero sin permiso domain:write escribir en archivos arbitrarios a través de un .. (punto punto) en un nombre de volumen.

A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges.

It was discovered that libvirt incorrectly handled the firewall rules on bridge networks when the daemon was restarted. This could result in an unintended firewall configuration. This issue only applied to Ubuntu 12.04 LTS. Peter Krempa discovered that libvirt incorrectly handled locking when certain ACL checks failed. A local attacker could use this issue to cause libvirt to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-07-01 CVE Reserved
2016-01-12 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (9)

URL	Tag	Source
http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=034e47c338b13a95cf02106a3af912c1c5f818d7	X_refsource_confirm
http://www.securityfocus.com/bid/90913	Vdb Entry
https://www.redhat.com/archives/libvir-list/2015-December/msg00473.html	Mailing List

URL	Date	SRC

URL	Date	SRC
http://security.libvirt.org/2015/0004.html	2023-02-13

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174404.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2016-2577.html	2023-02-13
https://security.gentoo.org/glsa/201612-10	2023-02-13
https://access.redhat.com/security/cve/CVE-2015-5313	2016-11-03
https://bugzilla.redhat.com/show_bug.cgi?id=1277121	2016-11-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				-		-		Affected