{ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2015-5313", "STATE" : "PUBLIC" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "n/a", "version" : { "version_data" : [ { "version_value" : "n/a" } ] } } ] }, "vendor_name" : "n/a" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name." } ] }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "n/a" } ] } ] }, "references" : { "reference_data" : [ { "name" : "[libvirt] 20151211 [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names", "refsource" : "MLIST", "url" : "https://www.redhat.com/archives/libvir-list/2015-December/msg00473.html" }, { "name" : "http://libvirt.org/git/?p=libvirt.git;a=commit;h=034e47c338b13a95cf02106a3af912c1c5f818d7", "refsource" : "CONFIRM", "url" : "http://libvirt.org/git/?p=libvirt.git;a=commit;h=034e47c338b13a95cf02106a3af912c1c5f818d7" }, { "name" : "http://security.libvirt.org/2015/0004.html", "refsource" : "CONFIRM", "url" : "http://security.libvirt.org/2015/0004.html" }, { "name" : "FEDORA-2015-30b347dff1", "refsource" : "FEDORA", "url" : "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174404.html" }, { "name" : "GLSA-201612-10", "refsource" : "GENTOO", "url" : "https://security.gentoo.org/glsa/201612-10" }, { "name" : "RHSA-2016:2577", "refsource" : "REDHAT", "url" : "http://rhn.redhat.com/errata/RHSA-2016-2577.html" }, { "name" : "90913", "refsource" : "BID", "url" : "http://www.securityfocus.com/bid/90913" } ] } }