CVE-2020-14301: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability was discovered in libvirt versions before 6.3.0. The vulnerability, identified as CVE-2020-14301, was related to HTTP cookies used for accessing network-based disks being exposed in the XML dump of guest domains. The issue was introduced in libvirt version 6.2.0 when support for cookies for HTTP-based disks was first implemented (RedHat Bugzilla).

The vulnerability occurs when cookies used to access disk images via HTTP/HTTPS network protocols are included in the XML dump of the guest domain. These cookies, which typically contain sensitive information, were being exposed through the 'cookie_value' element in the domain configuration. The issue can be exploited using the 'virsh dumpxml' command, which displays the domain configuration including the sensitive cookie information. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers to access potentially sensitive information stored in HTTP cookies that are used for accessing network-based disks. This information disclosure could potentially lead to unauthorized access to network resources or other security implications depending on the content of the exposed cookies (NetApp Security).

The vulnerability was fixed in libvirt version 6.3.0. The fix ensures that cookies are only included in the XML dump when explicitly requested using the --security-info attribute. The fix was implemented through two upstream commits that modified how cookie information is handled in the XML output (RedHat Bugzilla).