Multiple vulnerabilities in Oracle VM VirtualBox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2020-2902 CVE-2020-2913 CVE-2020-2909 CVE-2020-2748 CVE-2020-2743 CVE-2020-2741 CVE-2020-2951 CVE-2020-2910 CVE-2020-2914 CVE-2020-2958 CVE-2020-2959 CVE-2020-2907 CVE-2020-2911 CVE-2020-2929 CVE-2020-2894 CVE-2020-2758 CVE-2020-2908 CVE-2020-2905 CVE-2020-2742 CVE-2020-2575 |
| CWE-ID | CWE-20 CWE-457 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Oracle VM VirtualBox Server applications / Virtualization software |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
Updated 04.05.2020
Added vulnerability #20
1) Improper input validation
EUVDB-ID: #VU27276
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2902
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU27287
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2913
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 6.0.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU27294
Risk: Low
CVSSv3.1: 2.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2909
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU27293
Risk: Low
CVSSv3.1: 2.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2748
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU27292
Risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2743
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.0
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU27291
Risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2741
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper input validation
EUVDB-ID: #VU27290
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2951
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to a crash the entire system.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to a crash the entire system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper input validation
EUVDB-ID: #VU27289
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2910
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to manipulate data.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 6.0.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper input validation
EUVDB-ID: #VU27288
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2914
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 6.0.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper input validation
EUVDB-ID: #VU27286
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2958
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper input validation
EUVDB-ID: #VU27277
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2959
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to a crash the entire system.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A remote non-authenticated attacker can exploit this vulnerability to a crash the entire system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper input validation
EUVDB-ID: #VU27285
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2907
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper input validation
EUVDB-ID: #VU27284
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2911
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Improper input validation
EUVDB-ID: #VU27283
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2929
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper input validation
EUVDB-ID: #VU27282
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2894
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper input validation
EUVDB-ID: #VU27281
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2758
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper input validation
EUVDB-ID: #VU27280
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2908
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Improper input validation
EUVDB-ID: #VU27279
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2905
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper input validation
EUVDB-ID: #VU27278
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2742
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.0
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Use of Uninitialized Variable
EUVDB-ID: #VU27493
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2575
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerabilities allows a local user to escalate privileges on the target system.
The vulnerability exists within the processing of data sent to OHCI endpoints due to the lack of proper initialization of memory prior to accessing it. A local user can gain elevated privileges on the target system and execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsOracle VM VirtualBox: 5.2.0 - 6.1.4
External linkshttp://www.oracle.com/security-alerts/cpuapr2020.html
http://www.zerodayinitiative.com/advisories/ZDI-20-582/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
