CVE-2015-2152

Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.

Published: Mar 18, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-2152
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 1.9
AV:L/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
xen / xen	-	4.5.0.x
fedoraproject / fedora	22	22.x
fedoraproject / fedora	20	20.x
fedoraproject / fedora	21	21.x

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html
http://www.securityfocus.com/bid/73068
http://www.securitytracker.com/id/1031806
http://www.securitytracker.com/id/1031919
http://xenbits.xen.org/xsa/advisory-119.html
https://security.gentoo.org/glsa/201504-04

Vulnerability Database

290,301

CVE-2015-2152