CVE-2015-2044 — Sensitive Information Exposure in XEN

CWE-200 — Sensitive Information Exposure CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer6 documents6 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 76.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN

Timeline

PublishedMar 12

Latest updateMay 14

Description

The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/xen< xen 4.4.1-8 (bookworm)

▶Debianxen/xen< 4.4.1-8+3

▶NVDxen/xen33 versions+32

🔴Vulnerability Details

GHSA

GHSA-p925-cpg4-hv5v: The emulation routines for unspecified X86 devices in Xen 3↗2022-05-14

▶

OSV

CVE-2015-2044: The emulation routines for unspecified X86 devices in Xen 3↗2015-03-12

▶

📋Vendor Advisories

Red Hat

xen: information leak via internal x86 system device emulation (XSA-121)↗2015-03-06

▶

Debian

CVE-2015-2044: xen - The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x do...↗2015

▶

💬Community

Bugzilla

CVE-2015-2044 xen: information leak via internal x86 system device emulation (XSA-121)↗2015-02-23

▶