CVE-2020-11740 — Improper Removal of Sensitive Information Before Storage or Transfer in XEN
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 74.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 14
Latest updateSep 19
Description
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 10.0, Fedora 30, 31, 32
Patches
🔴Vulnerability Details
4📋Vendor Advisories
3💬Community
2Bugzilla▶
CVE-2020-11740 xen: xenoprof issue allows guest OS users without active profiling to obtain sensitive information about other guests (XSA-313) [fedora-all]↗2020-04-14
Bugzilla▶
CVE-2020-11740 xen: xenoprof issue allows guest OS users without active profiling to obtain sensitive information about other guests (XSA-313)↗2020-04-14