Published: 30/09/2020 Updated: 05/01/2021

CVSS v2 Base Score: 3.6 | Impact Score: 4.9 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.1 | Impact Score: 5.2 | Exploitability Score: 1.8

VMScore: 320

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:P

A flaw was found in dpdk in versions prior to 18.11.10 and prior to 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attacker in a virtual machine to read significant amounts of host memory. The highest threat from this vulnerability is to data confidentiality and system availability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
dpdk data plane development kit
canonical ubuntu linux 20.04
opensuse leap 15.1
opensuse leap 15.2

Debian Bug report logs - #971269 dpdk: CVEs for multiple vhost crypto issues Package: src:dpdk; Maintainer for src:dpdk is Debian DPDK Maintainers <pkg-dpdk-devel@listsaliothdebianorg>; Reported by: Luca Boccassi <bluca@debianorg> Date: Mon, 28 Sep 2020 15:45:02 UTC Severity: important Tags: security Found in ve ...

Hello, Is there any particular reason for the Scope metric to be Unchanged (S:U) for CVE-2020-14377 and CVE-2020-14378? Thank you, On Mon, Sep 28, 2020 at 5:43 PM Ferruh Yigit <ferruhyigit () intel com> wrote: -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0 ...

On 1/4/2021 8:28 AM, Mauro Matteo Cascella wrote: removed dpdk-announce mail list Hi Mauro, Is there a concern on the selected scope metric? Thanks ...

A set of vulnerabilities are fixed in DPDK: - CVE-2020-14374 - CVE-2020-14375 - CVE-2020-14376 - CVE-2020-14377 - CVE-2020-14378 Some downstream stakeholders were warned in advance in order to coordinate the release of fixes and reduce the vulnerability window Problem: A malicious guest can harm the host using vhost crypto, this includes executi ...

On Mon, Jan 4, 2021 at 12:29 PM Ferruh Yigit <ferruhyigit () intel com> wrote: Thank you for the timely reply With regard to CVE-2020-14377, the Scope metric was rated differently by NIST [1] hence my initial question [1] nvdnistgov/vuln/detail/CVE-2020-14377 kind of guest-to-host compromise, which usually implies a Scope ...

CWE-125 https://bugzilla.redhat.com/show_bug.cgi?id=1879472 https://www.openwall.com/lists/oss-security/2020/09/28/3 https://usn.ubuntu.com/4550-1/http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00006.html http://www.openwall.com/lists/oss-security/2021/01/04/5 http://www.openwall.com/lists/oss-security/2021/01/04/2 http://www.openwall.com/lists/oss-security/2021/01/04/1 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971269

CVE-2020-14377

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect