Improper input validation in Oracle VM VirtualBox

#VU52439 Improper input validation in Oracle VM VirtualBox

Published: 2021-04-21

Vulnerability identifier: #VU52439

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-2285

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Oracle VM VirtualBox
Server applications / Virtualization software

Vendor: Oracle

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle VM VirtualBox: 6.1.0 - 6.1.18

CPE

cpe:2.3:a:oracle:oracle_vm_virtualbox:6.1.0:*:*:*:*:*:*:*

External links
http://www.oracle.com/security-alerts/cpuapr2021.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Gentoo update for Oracle VirtualBox

Arch Linux update for virtualbox

Multiple vulnerabilities in Oracle VM VirtualBox