CVE-2020-15708

Description

Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.3CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.15%• Percentile: 36%

Techniques & Countermeasures

• CWE-732•Incorrect Permission Assignment for Critical Resource

  The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Affected Systems

• canonical•ubuntu_linux

  20.04

• ubuntu•libvirt

  ≥ unspecified, < 6.0.0-0ubuntu8.3

References (1)

• https://usn.ubuntu.com/usn/usn-4452-1