Home > Vulnerability Database > CVE-2020-29479

Mend.io Vulnerability Database

CVE-2020-29479

Date: December 15, 2020

An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify permissions, list, and delete the root node. (Deleting the whole xenstore tree is a host-wide denial of service.) Achieving xenstore write access is also possible. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.

Language: C

Severity Score

8.8

Related Resources (12)

Url: https://security.gentoo.org/glsa/202107-30

Url: https://security.alpinelinux.org/vuln/CVE-2020-29479

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/

Url: https://www.debian.org/security/2020/dsa-4812

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-29479

Url: https://xenbits.xenproject.org/xsa/advisory-353.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-29479

Url: https://security-tracker.debian.org/tracker/CVE-2020-29479

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/

Url: https://www.mend.io/vulnerability-database/CVE-2020-29479

Severity Score

8.8

Weakness Type (CWE)

Missing Authorization

CWE-862

Incorrect Permission Assignment for Critical Resource

CWE-732

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.2
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-29479

Date: December 15, 2020

Language: C

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?