Information disclosure in xen (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-10472 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
xen (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU12543
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10472
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists in certain configurations due to improper information control. An adjacent attacker can read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.
MitigationInstall update from vendor's website.
Vulnerable software versionsxen (Alpine package): 4.6.0-r0 - 4.6.6-r4
External linkshttp://git.alpinelinux.org/aports/commit/?id=cf5828feef63ab62588f29482b15001535c73719
http://git.alpinelinux.org/aports/commit/?id=96018bf2841ac59b632f6d84ad6247b5b825dc3a
http://git.alpinelinux.org/aports/commit/?id=d2a71459869989207ef392e3d8338330ee055a7f
http://git.alpinelinux.org/aports/commit/?id=9bdda5f2061773ab7f74bacd75ba922ce5fef8ac
http://git.alpinelinux.org/aports/commit/?id=95c1be17ba7dd9d974289b72613f50e74a20e0a2
http://git.alpinelinux.org/aports/commit/?id=73f6ed4311545e458f14db858c74d8d332f9c100
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
