{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-10T00:00:00", "descriptions": [{"lang": "en", "value": "libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-20T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0079"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1245647"}, {"name": "RHSA-2016:2577", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2577.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/ossn/+bug/1686743"}, {"name": "[oss-security] 20170721 [OSSN-0078] Ceph credentials included in logs using older versions of libvirt/qemu", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2017/07/21/3"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:07.967Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0079"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1245647"}, {"name": "RHSA-2016:2577", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2577.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/ossn/+bug/1686743"}, {"name": "[oss-security] 20170721 [OSSN-0078] Ceph credentials included in logs using older versions of libvirt/qemu", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2017/07/21/3"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5160", "datePublished": "2018-08-20T21:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:07.967Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libvirt:libvirt:*:*:*:*:*:*:*:*", "matchCriteriaId": "56982B28-2D29-4662-9EF1-1559E4A220AF", "versionEndExcluding": "2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D86166F9-BBF0-4650-8CCD-0F9C97104D21", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*", "matchCriteriaId": "AA9B3CC0-DF1C-4A86-B2A3-A9D428A5A6E6", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "807C024A-F8E8-4B48-A349-4C68CD252CA1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "F96E3779-F56A-45FF-BB3D-4980527D721E", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "0CF73560-2F5B-4723-A8A1-9AADBB3ADA00", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "5BF3C7A5-9117-42C7-BEA1-4AA378A582EF", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "98381E61-F082-4302-B51F-5648884F998B", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "A8442C20-41F9-47FD-9A12-E724D3A31FD7", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "24C0F4E1-C52C-41E0-9F14-F83ADD5CC7ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing."}, {"lang": "es", "value": "libvirt en versiones anteriores a la 2.2 incluye las credenciales de Ceph en la l\u00ednea de comandos qemu cuando se utiliza RADOS Block Device (tambi\u00e9n conocido como RBD), lo que permite a los usuarios locales obtener informaci\u00f3n sensible mediante un listado de procesos."}], "id": "CVE-2015-5160", "lastModified": "2020-10-15T13:28:10.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-20T21:29:00.277", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2577.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/07/21/3"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1686743"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1245647"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0079"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:2577", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libvirt-0:2.0.0-10.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-11-03T00:00:00Z"}, {"advisory": "RHSA-2016:2577", "cpe": "cpe:/a:redhat:storage:3.1:server:el7", "package": "libvirt-0:2.0.0-10.el7", "product_name": "Red Hat Gluster Storage 3.1 for RHEL 7", "release_date": "2016-11-03T00:00:00Z"}, {"advisory": "RHSA-2016:2577", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "libvirt-0:2.0.0-10.el7", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2016-11-03T00:00:00Z"}], "bugzilla": {"description": "libvirt: Ceph id/key leaked in the process list", "id": "1245647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1245647"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "details": ["libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing.", "It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster."], "name": "CVE-2015-5160", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:storage:2.1", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Storage 2.1"}], "public_date": "2015-08-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5160\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5160"], "statement": "Red Hat Product Security has rated this issue as having Moderate security\nimpact. This issue is not currently planned to be addressed in future\nupdates of Enterprise Linux 6. For additional information, refer to\nthe Issue Severity Classification:\nhttps://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate"}