CVE-2016-4963 — Improper Access Control in XEN

CWE-284 — Improper Access Control7 documents6 sources

Severity

4.7MEDIUMNVD

EPSS

0.0%

top 85.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN

Timeline

PublishedJun 7

Latest updateMay 14

Description

The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/xen< xen 4.8.0~rc3-1 (bookworm)

▶Debianxen/xen< 4.8.0~rc3-1+3

▶NVDxen/xen35 versions+34

🔴Vulnerability Details

GHSA

GHSA-4wh7-gxf5-7gc2: The libxl device-handling in Xen through 4↗2022-05-14

▶

OSV

CVE-2016-4963: The libxl device-handling in Xen through 4↗2016-06-07

▶

📋Vendor Advisories

Red Hat

xen: Unsanitised driver domain input in libxl device handling (XSA-178)↗2016-06-02

▶

Debian

CVE-2016-4963: xen - The libxl device-handling in Xen through 4.6.x allows local guest OS users with ...↗2016

▶

💬Community

Bugzilla

CVE-2016-4963 xsa178 xen: Unsanitised driver domain input in libxl device handling (XSA-178) [fedora-all]↗2016-06-02

▶

Bugzilla

CVE-2016-4963 xsa178 xen: Unsanitised driver domain input in libxl device handling (XSA-178)↗2016-05-12

▶