CVE-2015-0236 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2015-0236?

CVE-2015-0236 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-0236?

Check the references section above for vendor advisories and patch information. Affected products include: Mageia Mageia, Redhat Libvirt, Opensuse Opensuse, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop.

Vulnerability Description

libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVSS Score

3.5

LOW

AV:N/AC:M/Au:S/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mageia	Mageia	4.0
Redhat	Libvirt	<= 1.2.11
Opensuse	Opensuse	13.1
Canonical	Ubuntu Linux	12.04
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Hpc Node	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-200

References

http://advisories.mageia.org/MGASA-2015-0046.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-02/msg00028.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0323.htmlThird Party Advisory
http://secunia.com/advisories/62766
http://security.libvirt.org/2015/0001.htmlPatchVendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:035Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2015:070Broken Link
http://www.ubuntu.com/usn/USN-2867-1Third Party Advisory
http://advisories.mageia.org/MGASA-2015-0046.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-02/msg00028.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0323.htmlThird Party Advisory
http://secunia.com/advisories/62766
http://security.libvirt.org/2015/0001.htmlPatchVendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:035Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2015:070Broken Link

FAQ

What is CVE-2015-0236?

CVE-2015-0236 is a vulnerability with a CVSS score of 3.5 (LOW). libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2...

How severe is CVE-2015-0236?

CVE-2015-0236 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-0236?

Check the references section above for vendor advisories and patch information. Affected products include: Mageia Mageia, Redhat Libvirt, Opensuse Opensuse, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop.