CVE-2022-42310 — Incomplete Cleanup in XEN

CWE-459 — Incomplete Cleanup4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 92.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedNov 1

Description

Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDxen/xen4.9.0 — 4.13.0

▶debiandebian/xen< xen 4.16.2+90-g0d39a6d1ae-1 (bookworm)

▶Debianxen/xen< 4.14.5+86-g1c354767d5-1+3

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-gw3c-jrpr-59hg: Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can creat↗2022-11-01

▶

OSV

CVE-2022-42310: Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can creat↗2022-11-01

▶

📋Vendor Advisories

Debian

CVE-2022-42310: xen - Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes i...↗2022

▶