CVE-2020-8905 Vulnerability Details

  /     /     /  

CVE-2020-8905 Metadata Quick Info

CVE Published: 12/08/2020 | CVE Updated: 17/09/2024 | CVE Year: 2020
Source: Google | Vendor: Google LLC | Product: Asylo
Status : PUBLISHED

CVE-2020-8905 Description

A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The \'enc_untrusted_recvfrom\' function generates a return value which is deserialized by \'MessageReader\', and copied into three different \'extents\'. The length of the third \'extents\' is controlled by the outside world, and not verified on copy, allowing the attacker to force Asylo to copy trusted memory data into an untrusted buffer of significantly small length.. We recommend updating Asylo to version 0.6.0 or later.

Metrics

CVSS Version: 3.1 | Base Score: 2.8 LOW
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-120
CWE Name: CWE-120 Buffer Overflow
Source: Google LLC

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2020-8905 Vulnerability Details