nvd-json-data-feeds/CVE-2024/CVE-2024-311xx/CVE-2024-31144.json

{
  "id": "CVE-2024-31144",
  "sourceIdentifier": "security@xen.org",
  "published": "2025-02-14T21:15:15.107",
  "lastModified": "2025-02-14T21:15:15.107",
  "vulnStatus": "Received",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "For a brief summary of Xapi terminology, see:\n\n   https://xapi-project.github.io/xen-api/overview.html#object-model-overview \n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR.  This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent.  The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup.  A\nguest with two disks has a 75% chance, etc."
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://xenbits.xen.org/xsa/advisory-459.html",
      "source": "security@xen.org"
    },
    {
      "url": "http://www.openwall.com/lists/oss-security/2024/07/16/4",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    }
  ]
}
Auto-Update: 2025-02-14T23:00:20.967691+00:00 2025-02-14 23:03:55 +00:00			`{`
			`"id": "CVE-2024-31144",`
			`"sourceIdentifier": "security@xen.org",`
			`"published": "2025-02-14T21:15:15.107",`
			`"lastModified": "2025-02-14T21:15:15.107",`
			`"vulnStatus": "Received",`
			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			"value": "For a brief summary of Xapi terminology, see:\n\n https://xapi-project.github.io/xen-api/overview.html#object-model-overview \n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR. This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent. The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\nguest with two disks has a 75% chance, etc."
			`}`
			`],`
			`"metrics": {},`
			`"references": [`
			`{`
			`"url": "https://xenbits.xen.org/xsa/advisory-459.html",`
			`"source": "security@xen.org"`
			`},`
			`{`
			`"url": "http://www.openwall.com/lists/oss-security/2024/07/16/4",`
			`"source": "af854a3a-2127-422b-91ae-364da2661108"`
			`}`
			`]`
			`}`