CVE-2019-12929

Published: 6/24/2019 Last updated: 8/4/2024 Reserved: 6/20/2019

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Opam packages affected (2)

conf-qemu-img nbd-tool

Products affected (1)

Product	Vendor	Version
n/a	n/a	Snapdragon X72 5G Modem-RF System

References (2)

https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/
https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/