CVE-2014-0179
CVSS V2 Low 1.9
CVSS V3 None
Description
libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods.
Overview
- CVE ID
- CVE-2014-0179
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2014-08-03T18:55:05
- Last Modified Date
- 2023-02-13T00:35:18
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:redhat:libvirt:0.7.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.7.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.7.7:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.7:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.8.8:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.6.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.6.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.6.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.7:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.8:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.9:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.10:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.7:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.11.8:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.12:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.9.13:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.7:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:0.10.2.8:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5.5:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.5.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.0.6:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.1.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.1.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.1.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.1.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.1.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.2.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.2.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.2.2:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.2.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:libvirt:1.2.4:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:a:redhat:enterprise_virtualization:3.0:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:M/Au:N/C:N/I:N/A:P
- Access Vector
- LOCAL
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- NONE
- Integrity Impact
- NONE
- Availability Impact
- PARTIAL
- Base Score
- 1.9
- Severity
- LOW
- Exploitability Score
- 3.4
- Impact Score
- 2.9
References
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2014-0179 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0179 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-05-10 17:43:08 | Added to TrackCVE | |||
2022-12-02 00:08:43 | 2014-08-03T18:55Z | 2014-08-03T18:55:05 | CVE Published Date | updated |
2022-12-02 00:08:43 | 2019-04-22T17:48:00 | CVE Modified Date | updated | |
2022-12-02 00:08:43 | Modified | Vulnerability Status | updated | |
2023-02-02 21:04:20 | 2023-02-02T20:16:45 | CVE Modified Date | updated | |
2023-02-02 21:04:21 | libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. | It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system. | Description | updated |
2023-02-02 21:04:28 | References | updated | ||
2023-02-13 01:05:02 | 2023-02-13T00:35:18 | CVE Modified Date | updated | |
2023-02-13 01:05:03 | It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system. | libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. | Description | updated |