{
  "threat_severity" : "Important",
  "public_date" : "2013-06-10T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: kvm: missing check in kvm_set_memory_region()",
    "id" : "950490",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=950490"
  },
  "cvss" : {
    "cvss_base_score" : "6.9",
    "cvss_scoring_vector" : "AV:L/AC:M/Au:N/C:C/I:C/A:C",
    "status" : "verified"
  },
  "cwe" : "CWE-119",
  "details" : [ "The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c." ],
  "statement" : "This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG 2.\nFuture kvm updates for Red Hat Enterprise Linux 5 may address this flaw.\nThis issue was addresses in Red Hat Enterprise Linux 6 via RHSA-2013:0911 (https://rhn.redhat.com/errata/RHSA-2013-0911.html).\nPlease note that unlike Red Hat Enterprise Linux 6, where a local unprivileged user could use this flaw to escalate their privileges on the system, on Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.2 EUS, and Red Hat Enterprise Linux 6.3 EUS the impact is limited to potential information leak only.",
  "acknowledgement" : "This issue was discovered by Michael S. Tsirkin (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2013-06-10T00:00:00Z",
    "advisory" : "RHSA-2013:0911",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "kernel-0:2.6.32-358.11.1.el6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "kvm",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux Extended Update Support 6.2",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux Extended Update Support 6.3",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.3"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Not affected",
    "package_name" : "realtime-kernel",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-1943\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-1943" ],
  "name" : "CVE-2013-1943",
  "csaw" : false
}