CVE-2015-2152
Xen < 4.5.0 - Unauthenticated VGA Console Access via Disabled Backend Bypass
Title source: llmDescription
Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201504-04
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031919
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/73068
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html
Patch, Vendor Advisory x_refsource_confirm
http://xenbits.xen.org/xsa/advisory-119.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031806
Scores
EPSS
0.0008
EPSS Percentile
22.5%
Details
CWE
CWE-264
Status
published
Products (4)
fedoraproject/fedora
20
fedoraproject/fedora
21
fedoraproject/fedora
22
xen/xen
< 4.5.0
Published
Mar 18, 2015
Tracked Since
Feb 18, 2026