Vulnerabilities > CVE-2020-8938 - Out-of-bounds Write vulnerability in Google Asylo

CVSS 3.3 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

local

low complexity

google

CWE-787

NVD

Published: 2020-12-15

Updated: 2020-12-17

Summary

An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allows an attacker to make a host call to FromkLinuxSockAddr with attacker controlled content and size of klinux_addr which allows an attacker to write memory values from within the enclave. We recommend upgrading past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02

Vulnerable Configurations

Part	Description	Count
Application	Google Google Asylo - Google Asylo 0.2.0 Google Asylo 0.2.1 Google Asylo 0.2.2 Google Asylo 0.3.0 Google Asylo 0.3.1 Google Asylo 0.3.2 Google Asylo 0.3.3 Google Asylo 0.3.4 Google Asylo 0.3.4.1 Google Asylo 0.3.4.2 Google Asylo 0.4.0 Google Asylo 0.4.1 Google Asylo 0.5.0 Google Asylo 0.5.1 Google Asylo 0.5.2 Google Asylo 0.5.3	17

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

References

https://github.com/google/asylo/commit/bda9772e7872b0d2b9bee32930cf7a4983837b39