Total vulnerabilities in the database
bhyveload -h <host-path> may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to. In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
| Software | From | Fixed in |
|---|---|---|
| freebsd / freebsd | 13.2-p1 | 13.2-p1.x |
| freebsd / freebsd | 13.2-p2 | 13.2-p2.x |
| freebsd / freebsd | 13.2-p3 | 13.2-p3.x |
| freebsd / freebsd | - | 13.2 |
| freebsd / freebsd | 13.2-p4 | 13.2-p4.x |
| freebsd / freebsd | 14.0-beta5 | 14.0-beta5.x |
| freebsd / freebsd | 13.2-p5 | 13.2-p5.x |
| freebsd / freebsd | 13.2-p6 | 13.2-p6.x |
| freebsd / freebsd | 13.2-p7 | 13.2-p7.x |
| freebsd / freebsd | 13.2-p8 | 13.2-p8.x |
| freebsd / freebsd | 13.2-p9 | 13.2-p9.x |
| freebsd / freebsd | 13.3 | 14.0 |
| freebsd / freebsd | 14.0-rc3 | 14.0-rc3.x |
| freebsd / freebsd | 14.0-rc4-p1 | 14.0-rc4-p1.x |
| freebsd / freebsd | 14.0-p1 | 14.0-p1.x |
| freebsd / freebsd | 14.0-p2 | 14.0-p2.x |
| freebsd / freebsd | 14.0-p3 | 14.0-p3.x |
| freebsd / freebsd | 14.0-p4 | 14.0-p4.x |