Vulnerabilities > CVE-2020-14695 - Out-of-bounds Read vulnerability in multiple products
Summary
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00079.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00079.html
- https://security.gentoo.org/glsa/202101-09
- https://security.gentoo.org/glsa/202101-09
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-900/
- https://www.zerodayinitiative.com/advisories/ZDI-20-900/