CVE-2018-10908

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-10908
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-10908.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-10908
Published
2018-08-09T19:29:00Z
Modified
2025-02-14T10:22:47.201847Z
Downstream
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.

References

Affected packages

Git / github.com/ovirt/vdsm

Affected ranges

Type
GIT
Repo
https://github.com/ovirt/vdsm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v4.*

v4.10.0
v4.10.1
v4.10.2
v4.10.3
v4.11.0
v4.12.0
v4.12.0-rc1
v4.12.0-rc2
v4.12.0-rc3
v4.13.0
v4.14.0
v4.14.1
v4.15.0
v4.16.0
v4.17.0
v4.17.1
v4.17.2
v4.17.999
v4.18.0
v4.18.1
v4.18.999
v4.19.1
v4.20.0
v4.20.1
v4.20.10
v4.20.11
v4.20.12
v4.20.13
v4.20.14
v4.20.15
v4.20.16
v4.20.17
v4.20.18
v4.20.19
v4.20.2
v4.20.20
v4.20.21
v4.20.22
v4.20.23
v4.20.24
v4.20.25
v4.20.26
v4.20.27
v4.20.28
v4.20.29
v4.20.3
v4.20.33
v4.20.34
v4.20.35
v4.20.36
v4.20.4
v4.20.5
v4.20.6
v4.20.7
v4.20.8
v4.20.9
v4.9.0
v4.9.1
v4.9.2
v4.9.4
v4.9.6