CVE-2015-2152 — XEN vulnerability

CWE-2647 documents6 sources

Severity

1.9LOWNVD

EPSS

0.1%

top 77.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Fedoraproject Fedora

Timeline

PublishedMar 18

Latest updateMay 14

Description

Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.

CVSS vector

AV:L/AC:M/C:N/I:P/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/xen< xen 4.4.1-9 (bookworm)

▶Debianxen/xen< 4.4.1-9+3

▶NVDxen/xen4.5.0

Also affects: Fedora 20, 21, 22

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-4h5r-jgg6-766g: Xen 4↗2022-05-14

▶

OSV

CVE-2015-2152: Xen 4↗2015-03-18

▶

📋Vendor Advisories

Red Hat

xen: HVM qemu unexpectedly enabling emulated VGA graphics backends (XSA 119)↗2015-03-12

▶

Debian

CVE-2015-2152: xen - Xen 4.5.x and earlier enables certain default backends when emulating a VGA devi...↗2015

▶

💬Community

Bugzilla

CVE-2015-2152 xen: HVM qemu unexpectedly enabling emulated VGA graphics backends (XSA 119) [fedora-all]↗2015-03-12

▶

Bugzilla

CVE-2015-2152 xen: HVM qemu unexpectedly enabling emulated VGA graphics backends (XSA 119)↗2015-03-11

▶