Oracle VM VirtualBox up to 5.2.43/6.0.23/6.1.11 Core Local Privilege Escalation

Summaryinfo

A vulnerability classified as critical has been found in Oracle VM VirtualBox up to 5.2.43/6.0.23/6.1.11. Impacted is an unknown function of the component Core. Performing a manipulation results in Local Privilege Escalation. This vulnerability was named CVE-2020-14647. The attack needs to be approached locally. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in Oracle VM VirtualBox up to 5.2.43/6.0.23/6.1.11 (Virtualization Software). This affects some unknown processing of the component Core. The manipulation with an unknown input leads to a local privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

The weakness was presented 07/15/2020 as Oracle Critical Patch Update Advisory - July 2020 as confirmed advisory (Website). The advisory is shared at oracle.com. This vulnerability is uniquely identified as CVE-2020-14647. The exploitability is told to be difficult. An attack has to be approached locally. Additional levels of successful authentication are necessary for exploitation. Neither technical details nor an exploit are publicly available.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

See VDB-158073, VDB-158074, VDB-158075 and VDB-158076 for similar entries. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Virtualization Software

Vendor

• Oracle

Name

• VM VirtualBox

Version

• 5.2.0
• 5.2.1
• 5.2.2
• 5.2.3
• 5.2.4
• 5.2.5
• 5.2.6
• 5.2.7
• 5.2.8
• 5.2.9
• 5.2.10
• 5.2.11
• 5.2.12
• 5.2.13
• 5.2.14
• 5.2.15
• 5.2.16
• 5.2.17
• 5.2.18
• 5.2.19
• 5.2.20
• 5.2.21
• 5.2.22
• 5.2.23
• 5.2.24
• 5.2.25
• 5.2.26
• 5.2.27
• 5.2.28
• 5.2.29
• 5.2.30
• 5.2.31
• 5.2.32
• 5.2.33
• 5.2.34
• 5.2.35
• 5.2.36
• 5.2.37
• 5.2.38
• 5.2.39
• 5.2.40
• 5.2.41
• 5.2.42
• 5.2.43
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.0.16
• 6.0.17
• 6.0.18
• 6.0.19
• 6.0.20
• 6.0.21
• 6.0.22
• 6.0.23
• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.1.7
• 6.1.8
• 6.1.9
• 6.1.10
• 6.1.11

License

• open-source (GNU GPLv3)

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion