CVE-2020-14301

Description

An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.49%• Percentile: 66%

Techniques & Countermeasures

• CWE-212•Improper Removal of Sensitive Information Before Storage or Transfer

  The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Affected Systems

• netapp•ontap_select_deploy_administration_utility

  na

• redhat•codeready_linux_builder

  na

• redhat•enterprise_linux

  8.0

• redhat•enterprise_linux_eus

  8.4

• redhat•enterprise_linux_for_ibm_z_systems

  8.0

• redhat•enterprise_linux_for_ibm_z_systems_eus

  8.4

• redhat•enterprise_linux_for_power_little_endian

  8.0

• redhat•enterprise_linux_for_power_little_endian_eus

  8.4

• redhat•enterprise_linux_server_aus

  8.4

• redhat•enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions

  8.4

• redhat•enterprise_linux_server_update_services_for_sap_solutions

  8.4

• redhat•enterprise_linux_tus

  8.4

• redhat•libvirt

  ≥ 6.2.0, < 6.3.0

References (2)

• https://bugzilla.redhat.com/show_bug.cgi?id=1848640
• https://security.netapp.com/advisory/ntap-20210629-0007/