{"api_version":"1","generated_at":"2026-04-23T04:20:44+00:00","cve":"CVE-2020-14339","urls":{"html":"https://cve.report/CVE-2020-14339","api":"https://cve.report/api/cve/CVE-2020-14339.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-14339","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-14339"},"summary":{"title":"CVE-2020-14339","description":"A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-12-03 17:15:00","updated_at":"2022-11-07 18:56:00"},"problem_types":["CWE-772"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202210-06","name":"GLSA-202210-06","refsource":"GENTOO","tags":[],"title":"libvirt: Multiple Vulnerabilities (GLSA 202210-06) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202101-22","name":"GLSA-202101-22","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"libvirt: Unintended access to /dev/mapper/control (GLSA 202101-22) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1860069","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1860069","refsource":"MISC","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1860069 – (CVE-2020-14339) CVE-2020-14339 libvirt: leak of /dev/mapper/control into QEMU guests","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-14339","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14339","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"14339","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"advanced_virtualization","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14339","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"advanced_virtualization","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14339","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"libvirt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14339","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"libvirt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-14339","qid":"159669","title":"Oracle Enterprise Linux Security Update for virt:ol and virt-devel:rhel (ELSA-2020-4676)"},{"cve":"CVE-2020-14339","qid":"377413","title":"Alibaba Cloud Linux Security Update for virt:rhel and virt-devel:rhel (ALINUX3-SA-2022:0119)"},{"cve":"CVE-2020-14339","qid":"500326","title":"Alpine Linux Security Update for libvirt"},{"cve":"CVE-2020-14339","qid":"710643","title":"Gentoo Linux libvirt Multiple Vulnerabilities (GLSA 202210-06)"},{"cve":"CVE-2020-14339","qid":"940165","title":"AlmaLinux Security Update for virt:rhel and virt-devel:rhel (ALSA-2020:4676)"},{"cve":"CVE-2020-14339","qid":"960273","title":"Rocky Linux Security Update for virt:rhel and virt-devel:rhel (RLSA-2020:4676)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-14339","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"libvirt","version":{"version_data":[{"version_value":"libvirt 6.6.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-772"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1860069","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1860069"},{"refsource":"GENTOO","name":"GLSA-202101-22","url":"https://security.gentoo.org/glsa/202101-22"},{"refsource":"GENTOO","name":"GLSA-202210-06","url":"https://security.gentoo.org/glsa/202210-06"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."}]}},"nvd":{"publishedDate":"2020-12-03 17:15:00","lastModifiedDate":"2022-11-07 18:56:00","problem_types":["CWE-772"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2,"impactScore":6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:C/I:C/A:C","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":7.2},"severity":"HIGH","exploitabilityScore":3.9,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.0","versionEndExcluding":"6.7.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"14339","Ordinal":"175569","Title":"CVE-2020-14339","CVE":"CVE-2020-14339","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"14339","Ordinal":"1","NoteData":"A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"14339","Ordinal":"2","NoteData":"2020-12-03","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"14339","Ordinal":"3","NoteData":"2021-01-25","Type":"Other","Title":"Modified"}]}}}