| Vulnerability Name: | CVE-2019-12928 (CCN-162868) | ||||||||||||||||||||
| Assigned: | 2019-06-05 | ||||||||||||||||||||
| Published: | 2019-06-05 | ||||||||||||||||||||
| Updated: | 2020-08-24 | ||||||||||||||||||||
| Summary: | ** DISPUTED ** The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue. | ||||||||||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.6 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
8.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
| ||||||||||||||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||||||||||||||
| Vulnerability Type: | CWE-78 CWE-668 | ||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-12928 Source: XF Type: UNKNOWN qemu-cve201912928-command-exec(162868) Source: CCN Type: Fakhri Zulkifli GIT Repository [CVE-2019-12928] QEMU Machine Protocol Migrate Command Execution Source: MISC Type: Exploit, Third Party Advisory https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928/ Source: CCN Type: QEMU Web site QEMU | ||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||
| |||||||||||||||||||||
| BACK | |||||||||||||||||||||