CVE-2013-2016 — Vulnetix

CVE-2013-2016 PUBLISHED CVSS 7.800000190734863 HIGH

A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.

EPSS 0.07% · 22.5th percentile

Risk Scores

CVSS 3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.07%

22.5th percentile

Affected Products

Vendor	Product	Versions
qemu	qemu (virtio-rng)	v1.3.0 and later
novell	open_desktop_server	11.0
debian	debian_linux	8.0, 10.0, 9.0
qemu	qemu	1.5.0, 1.3.0
novell	open_enterprise_server	11.0

Exploit Intelligence

CIRCL seen: CVE-2013-2016 (circl-sighting)
CIRCL seen: CVE-2013-2016 (circl-sighting)
https://security-tracker.debian.org/tracker/CVE-2013-2016 (circl)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016 (circl)
https://access.redhat.com/security/cve/cve-2013-2016 (circl)
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00002.html (circl)
http://www.openwall.com/lists/oss-security/2013/04/29/5 (circl)
http://www.openwall.com/lists/oss-security/2013/04/29/6 (circl)
http://www.securityfocus.com/bid/59541 (circl)
https://exchange.xforce.ibmcloud.com/vulnerabilities/83850 (circl)

…and 1 more exploits

Timeline

Dec 30, 2019 CVE Published
Dec 31, 2019 PoC Published
Feb 4, 2022 EPSS Score
Mar 29, 2022 EPSS Score
May 20, 2022 EPSS Score
Jul 12, 2022 EPSS Score
Sep 3, 2022 EPSS Score
Oct 26, 2022 EPSS Score
Dec 18, 2022 EPSS Score
Feb 8, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 2, 2023 EPSS Score

References

Open in Interactive Console →