CVE-2021-28708Command Injection in XEN

CWE-77Command Injection12 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 75.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
XENDebian XENDebian Linux+1 more
Timeline
PublishedNov 24
Latest updateNov 25

Description

PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of p

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages4 packages

CVEListV5xen/xen4.12.xunspecified+2
debiandebian/xen< xen 4.14.3+32-g9de3671772-1 (bookworm)
Debianxen/xen< 4.14.3+32-g9de3671772-1~deb11u1+3
NVDxen/xen4.7.04.15.1

Also affects: Debian Linux 11.0, 9.0, Fedora 34, 35

Patches

Patch: xenbits.xenproject.orgPatch: xenbits.xenproject.org

🔴Vulnerability Details

6
GHSA
GHSA-gjrp-cpc9-h4r7: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to2021-11-25
GHSA
GHSA-959p-vvwh-xj92: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to2021-11-25
GHSA
GHSA-jpp8-232v-26fc: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to2021-11-25
OSV
CVE-2021-28707: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to2021-11-24
OSV
CVE-2021-28708: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to2021-11-24

📋Vendor Advisories

3
Debian
CVE-2021-28704: xen - PoD operations on misaligned GFNs T[his CNA information record relates to multip...2021
Debian
CVE-2021-28708: xen - PoD operations on misaligned GFNs T[his CNA information record relates to multip...2021
Debian
CVE-2021-28707: xen - PoD operations on misaligned GFNs T[his CNA information record relates to multip...2021