CVE-2015-2152 : Xen 4.5.x and earlier enables certain default backends when emulating a VGA devi

Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.

Published 2015-03-18 16:59:02

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2015-2152

XEN » XEN
Versions up to, including, (<=) 4.5.0
cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 20
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 21
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 22
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-2152

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 23 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-2152

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
1.9	LOW	AV:L/AC:M/Au:N/C:N/I:P/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2015-2152

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-2152

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html

[SECURITY] Fedora 21 Update: xen-4.4.1-16.fc21
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html

[security-announce] openSUSE-SU-2015:0732-1: important: Security update

CVEs referencing this url
https://security.gentoo.org/glsa/201504-04

Xen: Multiple vulnerabilities (GLSA 201504-04) — Gentoo security

CVEs referencing this url
http://www.securitytracker.com/id/1031919

Xen HVM qemu Flaw Lets Local Users Access VGA Backend on the Target Guest System - SecurityTracker
Third Party Advisory;VDB Entry
http://xenbits.xen.org/xsa/advisory-119.html

XSA-119 - Xen Security Advisories
Patch;Vendor Advisory
http://www.securitytracker.com/id/1031806

Xen Multiple Flaws Let Local Guest Users Deny Service or Obtain Information From Other Guest Systems - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/73068

Xen CVE-2015-2152 Information Disclosure Vulnerability
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html

[SECURITY] Fedora 22 Update: xen-4.5.0-6.fc22
Third Party Advisory

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html

[SECURITY] Fedora 20 Update: xen-4.3.3-12.fc20
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-2152

Products affected by CVE-2015-2152

Exploit prediction scoring system (EPSS) score for CVE-2015-2152

CVSS scores for CVE-2015-2152

CWE ids for CVE-2015-2152

References for CVE-2015-2152