Vulnerabilities > CVE-2021-20263 - Improper Preservation of Permissions vulnerability in Qemu

CVSS 3.3 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

local

low complexity

qemu

CWE-281

NVD

Published: 2021-03-09

Updated: 2022-09-30

Summary

A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.

Vulnerable Configurations

Part	Description	Count
Application	Qemu Qemu Qemu 5.0.0 Qemu Qemu 5.0.1 Qemu Qemu 5.1.0 Qemu Qemu 5.1.1 Qemu Qemu 5.2.0 Qemu Qemu 5.2.50	20

Common Weakness Enumeration (CWE)

CWE-281 - Improper Preservation of Permissions

References

https://www.openwall.com/lists/oss-security/2021/03/08/1
https://bugzilla.redhat.com/show_bug.cgi?id=1933668
https://security.netapp.com/advisory/ntap-20210507-0002/
https://security.gentoo.org/glsa/202208-27