Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
2.1
CVSSv2

CVE-2021-20263

Published: 09/03/2021 Updated: 30/09/2022
CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 3.3 | Impact Score: 1.4 | Exploitability Score: 1.8
VMScore: 187
Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Qemu

Vulnerability Summary

A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

qemu qemu

Vendor Advisories

Debian CVElist Bug Report Logs: qemu: CVE-2021-20263
Debian Bug report logs - #985083 qemu: CVE-2021-20263 Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 12 Mar 2021 18:36:01 UTC Severity: important Tags: security, upstream Found in version qemu/1 ...
Red Hat: CVE-2021-20263
A flaw was found in QEMU The new '-o xattrmap' option in virtiofsd sometimes causes the 'securitycapability' xattr in the guest to not drop on write, potentially leading to a modified, privileged executable The highest threat from this vulnerability is to integrity ...
Arch Linux Issues:
A security issue was found in QEMU The new '-o xattrmap' option in virtiofsd-520 causes some cases in which the 'securitycapability' xattr in the guest isn't dropped on write, potentially leading to a modified privileged executable For the problem to happen virtiofsd needs to be running with '-o xattr' and '-o xattrmap' (to enable and rename x ...

Mailing Lists

Full Disclosure: CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> CVE-2021-20263 QEMU: virtiofsd: 'securitycapabilities' is not dropped with xattrmap option <!--X-Subject-Header-End--> <!--X- ...

References

CWE-281https://www.openwall.com/lists/oss-security/2021/03/08/1https://bugzilla.redhat.com/show_bug.cgi?id=1933668https://security.netapp.com/advisory/ntap-20210507-0002/https://security.gentoo.org/glsa/202208-27https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985083https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2021-20263
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2021-35000CVE-2024-4439unauthorizedCVE-2024-0042CVE-2024-31848CVE-2023-40694cache poisoningCVE-2024-23707firmware
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook