A bug was reported internally about a bug in libvirt allowing a user on a read-only to change the response timeout for all guest agent messages. Changing this timeout can potentially cause some commands to fail.
This flaw did not affect the versions of `libvirt` as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and RHEL Advanced Virtualization, as they did not include the vulnerable code, which was introduced in a later version of the package. Specifically, `libvirt` API to change QEMU agent response timeout was added in `libvirt` upstream version v5.10.0.
Name: Lili Zhu (Red Hat)