Detections
Analytics
Alpine: multiple spice packages: security update to 0.12.5-r2 (deprecated)
high Tenable Self-Hosted Container Security Plugin ID 401094
Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:- Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated
guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly
execute arbitrary code on the host via unspecified vectors. (CVE-2015-3247)
- Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to cause a denial of service
(heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL
commands related to the surface_id parameter. (CVE-2015-5260)
- Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to read and write to arbitrary
memory locations on the host via guest QXL commands related to surface creation. (CVE-2015-5261)
See Also
https://git.alpinelinux.org/aports/commit/?id=a887645297d9345a54253c577ef27a9998557145
https://git.alpinelinux.org/aports/commit/?id=eda0077e74e2440e671b762484586ab769a70f12
Plugin Details
Severity: High
ID: 401094
Version: Revision 1.27
Type: Local
Published: 8/16/2023
Updated: 6/19/2026
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2015-5260
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 10/13/2015
Vulnerability Publication Date: 9/3/2015