Bug 1848640 (CVE-2020-14301) - CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml
Summary: CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml
Alias: CVE-2020-14301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1824368 1849672 1849694
Blocks: 1848037
TreeView+ depends on / blocked
Reported: 2020-06-18 16:30 UTC by Mauro Matteo Cascella
Modified: 2024-03-20 10:30 UTC (History)
18 users (show)

Fixed In Version: libvirt 6.3.0
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in libvirt. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw could allow a malicious user with a read-only connection to access potentially sensitive information in the domain configuration via the `dumpxml` command.
Clone Of:
Last Closed: 2020-11-04 02:26:07 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4676 0 None None None 2020-11-04 02:52:56 UTC

Description Mauro Matteo Cascella 2020-06-18 16:30:25 UTC
Starting with version 6.2.0, libvirt makes it possible to pass one or more cookies to access disk images via http/https network protocols:

<disk type="network" device="cdrom">
  <source protocol="https" name="/path/to/image.iso">
    <cookie name="cookie_name">"cookie_value"</cookie>

The 'cookie' element is included in the XML dump of the guest domain, resulting in a possible information disclosure. An attacker could abuse this flaw to leak the cookie's value via the virsh dumpxml command. Since cookies typically contain sensitive information, they should only be included in the XML dump when using the --security-info attribute.

Upstream fix:

Comment 1 Mauro Matteo Cascella 2020-06-18 16:30:34 UTC

Name: Han Han (Red Hat)

Comment 2 Mauro Matteo Cascella 2020-06-19 10:34:23 UTC

Support for cookies for HTTP based disks was introduced in `libvirt` upstream version 6.2.0. Red Hat Enterprise Linux 5, 6, 7 and 8 are not affected by this issue, as they ship older versions of the `libvirt` package. Red Hat Enterprise Linux Advanced Virtualization 8 is the only affected product.

Comment 7 Product Security DevOps Team 2020-11-04 02:26:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 8 errata-xmlrpc 2020-11-04 02:52:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676

Note You need to log in before you can comment on or make changes to this bug.