nvd-json-data-feeds/CVE-2024/CVE-2024-44xx/CVE-2024-4418.json

{
  "id": "CVE-2024-4418",
  "sourceIdentifier": "secalert@redhat.com",
  "published": "2024-05-08T03:15:07.203",
  "lastModified": "2024-09-13T22:15:02.123",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 en libvirt una condici\u00f3n de ejecuci\u00f3n que conduc\u00eda a una falla de use-after-free de la pila. Debido a una mala suposici\u00f3n en el m\u00e9todo virNetClientIOEventLoop(), el puntero de `datos` a una estructura virNetClientIOEventData asignada a la pila termin\u00f3 us\u00e1ndose en la devoluci\u00f3n de llamada de virNetClientIOEventFD mientras el marco de pila del puntero de datos se \"liberaba\" simult\u00e1neamente al regresar de virNetClientIOEventLoop() . El daemon 'virtproxyd' se puede utilizar para activar solicitudes. Si libvirt est\u00e1 configurado con un control de acceso detallado, este problema, en teor\u00eda, permite al usuario escapar de su acceso, que de otro modo ser\u00eda limitado. Esta falla permite que un usuario local sin privilegios acceda a virtproxyd sin autenticarse. Los usuarios remotos tendr\u00edan que autenticarse antes de poder acceder a \u00e9l."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "secalert@redhat.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "secalert@redhat.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://access.redhat.com/errata/RHSA-2024:4351",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://access.redhat.com/errata/RHSA-2024:4432",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://access.redhat.com/errata/RHSA-2024:4757",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://access.redhat.com/security/cve/CVE-2024-4418",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616",
      "source": "secalert@redhat.com"
    }
  ]
}