CVE-2017-1000256
- Source
- https://cve.org/CVERecord?id=CVE-2017-1000256
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-1000256.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-1000256
- Downstream
- Related
- Published
- 2017-10-31T15:29:00.240Z
- Modified
- 2026-01-31T17:58:02.576479Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default.
- References
-
- https://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg1556251.html
- http://www.debian.org/security/2017/dsa-4003
- https://access.redhat.com/security/cve/CVE-2017-1000256
- https://www.redhat.com/archives/libvirt-announce/2017-October/msg00001.html
- https://access.redhat.com/security/cve/CVE-2017-1000256
- https://www.redhat.com/archives/libvirt-announce/2017-October/msg00001.html
Affected packages
Git / github.com/libvirt/libvirt
Affected versions
Other
CVE-2017-1000256
CVE-2017-2635
v2.*
v2.3.0
v2.4.0
v2.4.0-rc1
v2.4.0-rc2
v2.5.0
v2.5.0-rc1
v2.5.0-rc2
v3.*
v3.0.0
v3.0.0-rc1
v3.0.0-rc2
v3.1.0
v3.1.0-rc1
v3.1.0-rc2
v3.2.0
v3.2.0-rc1
v3.2.0-rc2
v3.3.0
v3.3.0-rc1
v3.3.0-rc2
v3.4.0
v3.4.0-rc1
v3.4.0-rc2
v3.5.0
v3.5.0-rc1
v3.5.0-rc2
v3.6.0
v3.6.0-rc1
v3.6.0-rc2
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.8.0
v3.8.0-rc1
v3.9.0-rc1
v3.9.0-rc2