CVE-2020-35517
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 28 Jan 2021, 19:13
Last modified:04 Aug 2024, 17:02
Vulnerability Summary
Overall Risk (default)
medium
43/100 CVSS Score
8.2 HIGH
v3.1 (nvd)
EPSS Score
0.11% LOW
0% probability +0.03%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
28 Jan 2021, 19:13
Published
Vulnerability first disclosed
04 Aug 2024, 17:02
Last Modified
Vulnerability information updated
Description
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.
CVSS Metrics
- v3.1•HIGH•Score: 8.2CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.11%• Percentile: 29%
Techniques & Countermeasures
- CWE-269•Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Systems
- qemu•qemu
≥ 5.0.0, ≤ 5.2.50
References (6)
- https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c
- https://bugzilla.redhat.com/show_bug.cgi?id=1915823
- https://www.openwall.com/lists/oss-security/2021/01/22/1
- https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html
- https://security.netapp.com/advisory/ntap-20210312-0002/
- https://security.gentoo.org/glsa/202208-27