Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.3
CVSSv3

CVE-2018-16872

Published: 13/12/2018 Updated: 16/05/2023
CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8
CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6
VMScore: 312
Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
Subscribe to Qemu

Vulnerability Summary

A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

qemu qemu

debian debian linux 8.0

debian debian linux 9.0

fedoraproject fedora 29

fedoraproject fedora 30

canonical ubuntu linux 16.04

canonical ubuntu linux 14.04

canonical ubuntu linux 18.04

canonical ubuntu linux 18.10

opensuse leap 42.3

Vendor Advisories

Ubuntu Security Notice: qemu vulnerabilities
Several security issues were fixed in QEMU ...
Debian Security Advisories: DSA-4454-1 qemu -- security update
Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests For the stabl ...
Debian CVElist Bug Report Logs: qemu: CVE-2018-16847: Out-of-bounds r/w buffer access in cmb operations
Debian Bug report logs - #912655 qemu: CVE-2018-16847: Out-of-bounds r/w buffer access in cmb operations Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 2 Nov 2018 12:45:02 UTC Severity: importan ...
Debian CVElist Bug Report Logs: qemu: CVE-2018-16872: usb-mtp: path traversal by host filesystem manipulation in Media Transfer Protocol (MTP)
Debian Bug report logs - #916397 qemu: CVE-2018-16872: usb-mtp: path traversal by host filesystem manipulation in Media Transfer Protocol (MTP) Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 13 D ...
Debian CVElist Bug Report Logs: qemu: CVE-2018-19665
Debian Bug report logs - #916278 qemu: CVE-2018-19665 Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 12 Dec 2018 14:12:02 UTC Severity: important Tags: security, upstream Found in version qemu/1 ...
Debian CVElist Bug Report Logs: qemu: CVE-2019-12155: qxl: null pointer dereference while releasing speice resources
Debian Bug report logs - #929353 qemu: CVE-2019-12155: qxl: null pointer dereference while releasing speice resources Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 22 May 2019 08:03:02 UTC Sever ...
Debian CVElist Bug Report Logs: qemu: CVE-2018-11806: slirp: heap buffer overflow while reassembling fragmented datagrams
Debian Bug report logs - #901017 qemu: CVE-2018-11806: slirp: heap buffer overflow while reassembling fragmented datagrams Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 8 Jun 2018 03:42:01 UTC ...
Red Hat: CVE-2018-16872
A flaw was found in QEMU's Media Transfer Protocol (MTP) The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem An attacker with wri ...

References

CWE-367https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16872http://www.securityfocus.com/bid/106212https://lists.debian.org/debian-lts-announce/2019/02/msg00041.htmlhttps://usn.ubuntu.com/3923-1/http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00042.htmlhttps://www.debian.org/security/2019/dsa-4454https://seclists.org/bugtraq/2019/May/76https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJMTVGDLA654HNCDGLCUEIP36SNJEKK7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGCFIFSIWUREEQQOZDZFBYKWZHXCWBZN/https://nvd.nist.govhttps://usn.ubuntu.com/3923-1/https://access.redhat.com/security/cve/cve-2018-16872
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook