CVE-2020-11741 — Missing Initialization of Resource in XEN
Severity
8.8HIGHNVD
OSV5.5
EPSS
0.1%
top 70.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 14
Latest updateSep 19
Description
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head …
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0
Affected Packages4 packages
Also affects: Debian Linux 10.0, Fedora 30, 31, 32
Patches
🔴Vulnerability Details
4📋Vendor Advisories
3💬Community
2Bugzilla▶
CVE-2020-11741 xen: xenoprof issue allows guest OS users with active profiling to obtain sensitive information about other guests (XSA-313) [fedora-all]↗2020-04-14
Bugzilla▶
CVE-2020-11741 xen: xenoprof issue allows guest OS users with active profiling to obtain sensitive information about other guests (XSA-313)↗2020-04-14