First published: Wed Apr 15 2020(Updated: )
This vulnerability allows local attackers to disclose sensitive information on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the shader_glsl_get_register_name function. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the hypervisor.
Credit: secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
Oracle VM VirtualBox | <5.2.40 | |
Oracle VM VirtualBox | >=6.0.0<6.0.20 | |
Oracle VM VirtualBox | >=6.1.0<6.1.6 | |
openSUSE Leap | =15.1 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-2741.
The severity rating is medium (6 out of 10).
Versions prior to 5.2.40, 6.0.20, and 6.1.6 are affected.
The vulnerability can be exploited by a high privileged attacker with logon access to the infrastructure.
Upgrade to version 5.2.40, 6.0.20, or 6.1.6 or later to fix the vulnerability.