Improper input validation in Oracle VM VirtualBox

#VU49878 Improper input validation in Oracle VM VirtualBox

Published: 2021-01-20

Vulnerability identifier: #VU49878

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-2123

CWE-ID:

Exploitation vector: Local

Exploit availability:

Vulnerable software:
Oracle VM VirtualBox
Server applications / Virtualization software

Vendor: Oracle

Description

The vulnerability allows a local privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 6.1.0 - 6.1.16

Fixed software versions

CPE

cpe:2.3:a:oracle:vm_virtualbox:6.1.0:*:*:*:*:*:*:*

External links
http://www.oracle.com/security-alerts/cpujan2021.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Gentoo update for VirtualBox

Arch Linux update for virtualbox

Multiple vulnerabilities in Oracle VM VirtualBox