CVE-2018-10908
- Source
- https://cve.org/CVERecord?id=CVE-2018-10908
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-10908.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-10908
- Downstream
- Published
- 2018-08-09T19:29:00.207Z
- Modified
- 2026-05-18T05:50:02.037753531Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.
- Database specific
{ "unresolved_ranges": [ { "cpes": [ "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*" ], "extracted_events": [ { "last_affected": "4.0" } ], "source": "CPE_FIELD", "vendor_product": "redhat:virtualization" } ] }- References
Affected packages
Git / github.com/ovirt/vdsm
Affected versions
v4.*
v4.10.0
v4.10.1
v4.10.2
v4.10.3
v4.11.0
v4.12.0
v4.12.0-rc1
v4.12.0-rc2
v4.12.0-rc3
v4.13.0
v4.14.0
v4.14.1
v4.15.0
v4.16.0
v4.17.0
v4.17.1
v4.17.2
v4.17.999
v4.18.0
v4.18.1
v4.18.999
v4.19.1
v4.20.0
v4.20.1
v4.20.10
v4.20.11
v4.20.12
v4.20.13
v4.20.14
v4.20.15
v4.20.16
v4.20.17
v4.20.18
v4.20.19
v4.20.2
v4.20.20
v4.20.21
v4.20.22
v4.20.23
v4.20.24
v4.20.25
v4.20.26
v4.20.27
v4.20.28
v4.20.29
v4.20.3
v4.20.33
v4.20.34
v4.20.35
v4.20.36
v4.20.4
v4.20.5
v4.20.6
v4.20.7
v4.20.8
v4.20.9
v4.9.0
v4.9.1
v4.9.2
v4.9.4
v4.9.6