{
  "threat_severity" : "Moderate",
  "public_date" : "2015-01-18T00:00:00Z",
  "bugzilla" : {
    "description" : "libvirt: Setting empty VNC password allows access to unauthorized users",
    "id" : "1351514",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1351514"
  },
  "cvss" : {
    "cvss_base_score" : "5.1",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "details" : [ "libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.", "It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-11-03T00:00:00Z",
    "advisory" : "RHSA-2016:2577",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "libvirt-0:2.0.0-10.el7"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.1 for RHEL 7",
    "release_date" : "2016-11-03T00:00:00Z",
    "advisory" : "RHSA-2016:2577",
    "cpe" : "cpe:/a:redhat:storage:3.1:server:el7",
    "package" : "libvirt-0:2.0.0-10.el7"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2016-11-03T00:00:00Z",
    "advisory" : "RHSA-2016:2577",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "libvirt-0:2.0.0-10.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "libvirt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "libvirt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Under investigation",
    "package_name" : "mingw-virt-viewer",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5008\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5008" ],
  "name" : "CVE-2016-5008",
  "csaw" : false
}