Information disclosure in qemu (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-5165 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
qemu (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU32393
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2015-5165
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsqemu (Alpine package): 1.6.2-r5
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=5509c50a7b4bb564bc59f9af2f71110dd3d0fc52
https://git.alpinelinux.org/aports/commit/?id=5804c8a40450c4af7e6a02403aa7ff9133867d22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
