CVE-2017-15589

LOW

Description

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory.

References

http://www.securityfocus.com/bid/101496

http://www.securitytracker.com/id/1039568

https://lists.debian.org/debian-lts-announce/2017/11/msg00027.html

https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html

https://security.gentoo.org/glsa/201801-14

https://support.citrix.com/article/CTX228867

https://www.debian.org/security/2017/dsa-4050

https://xenbits.xen.org/xsa/advisory-239.html

Details

Source: MITRE

Published: 2017-10-18

Updated: 2018-10-19

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 2.1

Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Impact Score: 4

Exploitability Score: 2

Severity: MEDIUM