CVE-2019-12929

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
References
Link Resource
https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:03

Type Values Removed Values Added
Summary ** DISPUTED ** The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue. The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

Information

Published : 2019-06-24 11:15

Updated : 2024-08-05 00:15


NVD link : CVE-2019-12929

Mitre link : CVE-2019-12929

CVE.ORG link : CVE-2019-12929


JSON object : View

Products Affected

qemu

  • qemu
CWE
CWE-668

Exposure of Resource to Wrong Sphere

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')