CVE-2021-3631
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 02 Mar 2022, 00:00
Last modified:19 Nov 2024, 19:33
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
6.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.07% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
02 Mar 2022, 00:00
Published
Vulnerability first disclosed
19 Nov 2024, 19:33
Last Modified
Vulnerability information updated
Description
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.3CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
- v2.0•LOW•Score: 3.3AV:L/AC:M/Au:N/C:P/I:P/A:N
EPSS Trends
Current EPSS score: 0.07%• Percentile: 21%
Techniques & Countermeasures
- CWE-732•Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Affected Systems
- netapp•ontap_select_deploy_administration_utility
na
- redhat•enterprise_linux
8.0
- redhat•libvirt
< 7.5.0
- redhat•openshift_container_platform
4.8
References (7)
- https://bugzilla.redhat.com/show_bug.cgi?id=1977726
- https://gitlab.com/libvirt/libvirt/-/issues/153
- https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
- https://access.redhat.com/errata/RHSA-2021:3631
- https://security.netapp.com/advisory/ntap-20220331-0010/
- https://security.gentoo.org/glsa/202210-06
- https://lists.debian.org/debian-lts-announce/2024/04/msg00000.html