Libvirt Security Notice Index > 2020 > LSN-2020-0002 [xml] [text]

Libvirt Security Notice: LSN-2020-0002

Leak of sensitive cookie information

Lifecycle

Reported on:	20200420
Published on:	20200414
Fixed on:	20200414

Credits

Reported by:	Han Han
Patched by:	Peter Krempa

See also

CVE-2020-14301

Description

The implementation of cookies for HTTP-based disks formatted them in the XML even if the VIR_DOMAIN_XML_SECURE was not present.

Impact

A read-only client can access potentionally sensitive information in the cookies.

Workaround

Denying access to the readonly libvirt socket will avoid the potential information leak.

Affected product: libvirt

Branch: master

Broken in:: v6.2.0
Fixed in:: v6.3.0
Broken by:: 3b076391befc3fe72deb0c244ac6c2b4c100b410
Fixed by:: a5b064bf4b17a9884d7d361733737fb614ad8979

Alternative formats: [xml] [text]

Home

Website (via DuckDuckGo) Wiki (via DuckDuckGo) Developers list Users list

Contact

email
irc

Community

Contribute

edit this page

Participants in the libvirt project agree to abide by the project code of conduct