Information disclosure in Mageia

CVE-2015-0236

libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXML…

Vulnerability class: Information Disclosure

EPSS: 0.005 (66.1th percentile) — read the EPSS interpretation.

Affected products

Mageia — versions 4.0
Canonical Ubuntu_linux — versions 12.04, 14.04, 15.04
Opensuse — versions 13.1, 13.2
Redhat Enterprise_linux_desktop — versions 7.0
Redhat Enterprise_linux_hpc_node — versions 7.0
Redhat Enterprise_linux_server — versions 7.0
Redhat Enterprise_linux_workstation — versions 7.0
Redhat Libvirt — versions 1.2.0, 1.2.1, 1.2.2
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)
MDVSA-2015:070 (vendor-advisory, x_refsource_MANDRIVA, Broken Link)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
openSUSE-SU-2015:0225 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
62766 (x_refsource_SECUNIA, third-party-advisory)
RHSA-2015:0323 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
MDVSA-2015:035 (vendor-advisory, x_refsource_MANDRIVA, Broken Link)
USN-2867-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)