CVE-2018-10908

Summary

It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.

Affected Software

VendorProductVersion RangeStatus
[UNKNOWN]vdsm4.20.37affected

Weaknesses

  • CWE-20: CWE-20
  • CWE-770: CWE-770

ADP Enrichment

CVE Program Container

Additional References

References