Multiple vulnerabilities in Oracle VM VirtualBox



Published: 2020-04-14 | Updated: 2020-05-04
Risk High
Patch available YES
Number of vulnerabilities 20
CVE-ID CVE-2020-2902
CVE-2020-2913
CVE-2020-2909
CVE-2020-2748
CVE-2020-2743
CVE-2020-2741
CVE-2020-2951
CVE-2020-2910
CVE-2020-2914
CVE-2020-2958
CVE-2020-2959
CVE-2020-2907
CVE-2020-2911
CVE-2020-2929
CVE-2020-2894
CVE-2020-2758
CVE-2020-2908
CVE-2020-2905
CVE-2020-2742
CVE-2020-2575
CWE-ID CWE-20
CWE-457
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Oracle VM VirtualBox
Server applications / Virtualization software

Vendor Oracle

Security Bulletin

This security bulletin contains information about 20 vulnerabilities.

Updated 04.05.2020

Added vulnerability #20

1) Improper input validation

EUVDB-ID: #VU27276

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2902

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU27287

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2913

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 6.0.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU27294

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2909

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Improper input validation

EUVDB-ID: #VU27293

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2748

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Improper input validation

EUVDB-ID: #VU27292

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2743

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Improper input validation

EUVDB-ID: #VU27291

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2741

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Improper input validation

EUVDB-ID: #VU27290

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2951

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to a crash the entire system.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to a crash the entire system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU27289

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2910

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to manipulate data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 6.0.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Improper input validation

EUVDB-ID: #VU27288

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2914

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 6.0.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Improper input validation

EUVDB-ID: #VU27286

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2958

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Improper input validation

EUVDB-ID: #VU27277

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-2959

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to a crash the entire system.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A remote non-authenticated attacker can exploit this vulnerability to a crash the entire system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Improper input validation

EUVDB-ID: #VU27285

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2907

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Improper input validation

EUVDB-ID: #VU27284

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2911

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Improper input validation

EUVDB-ID: #VU27283

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2929

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Improper input validation

EUVDB-ID: #VU27282

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2894

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Improper input validation

EUVDB-ID: #VU27281

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2758

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Improper input validation

EUVDB-ID: #VU27280

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2908

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Improper input validation

EUVDB-ID: #VU27279

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2905

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Improper input validation

EUVDB-ID: #VU27278

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2742

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Use of Uninitialized Variable

EUVDB-ID: #VU27493

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-2575

CWE-ID: CWE-457 - Use of Uninitialized Variable

Exploit availability: No

Description

The vulnerabilities allows a local user to escalate privileges on the target system.

The vulnerability exists within the processing of data sent to OHCI endpoints due to the lack of proper initialization of memory prior to accessing it. A local user can gain elevated privileges on the target system and execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 5.2.0 - 6.1.4


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html
http://www.zerodayinitiative.com/advisories/ZDI-20-582/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###