Back to search
CVE-2016-9602
Published: Apr 26, 2018
Modified: Aug 6, 2024
PUBLISHED
CVSS v3.0
7.6
HIGH
Description
Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
| Vendor | Product | Versions |
|---|---|---|
unspecified | Qemu | affected qemu 2.9 |
Weaknesses (CWE)
CVSS v3.0 Details
CVSS v3.0 Vector
CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
References
[qemu-devel] 20170220 [PATCH 00/29] 9pfs: local: fix vulnerability to symlink attacks
mailing-list
x_refsource_MLIST
1037604
vdb-entry
x_refsource_SECTRACK
[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update
mailing-list
x_refsource_MLIST
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9602
x_refsource_CONFIRM
[oss-security] 20170117 CVE-2016-9602 Qemu: 9p: virtfs allows guest to access host filesystem
mailing-list
x_refsource_MLIST
[qemu-devel] 20170130 [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink attacks
mailing-list
x_refsource_MLIST
GLSA-201704-01
vendor-advisory
x_refsource_GENTOO
95461
vdb-entry
x_refsource_BID
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now