CVE-2019-12928

NameCVE-2019-12928
Description** DISPUTED ** The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)jessie1:2.1+dfsg-12+deb8u6vulnerable
jessie (security)1:2.1+dfsg-12+deb8u12vulnerable
stretch (security), stretch1:2.8+dfsg-6+deb9u8vulnerable
buster1:3.1+dfsg-8~deb10u1vulnerable
buster (security)1:3.1+dfsg-8+deb10u2vulnerable
bullseye, sid1:4.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusource(unstable)(unfixed)unimportant
qemu-kvmsource(unstable)(unfixed)unimportant

Notes

https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928/
The QEMU machine protocol (QMP) should not be exposed to unprivileged users,
and is only intended for administrative control of QEMU instances.

Search for package or bug name: Reporting problems