CVE-2020-14377

CWE-125 — Out-of-bounds Read9 documents8 sources

Severity

7.1HIGH

EPSS

0.1%

top 80.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dpdk Data Plane Development KIT Canonical Ubuntu Linux Opensuse Leap

Timeline

PublishedSep 30

Latest updateMay 24

Description

A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attacker in a virtual machine to read significant amounts of host memory. The highest threat from this vulnerability is to data confidentiality and system availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages4 packages

▶NVDdpdk/data_plane_development_kit18.02.1 — 18.11.10+1

▶Debiandpdk< 19.11.5-1+3

▶CVEListV5dpdkAll dpdk versions before 18.11.10 and before 19.11.5

▶NVDopensuse/leap15.1, 15.2+1

Also affects: Ubuntu Linux 20.04

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-79mp-xxw2-fgf4: A flaw was found in dpdk in versions before 18↗2022-05-24

▶

OSV

CVE-2020-14377: A flaw was found in dpdk in versions before 18↗2020-09-30

▶

CVEList

CVE-2020-14377: A flaw was found in dpdk in versions before 18↗2020-09-30

▶

📋Vendor Advisories

Red Hat

dpdk: write_back_data buffer over read (cipher->para.dst_data_len & desc->len)↗2020-09-28

▶

Ubuntu

DPDK vulnerabilities↗2020-09-28

▶

Debian

CVE-2020-14377: dpdk - A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A compl...↗2020

▶

💬Community

Bugzilla

CVE-2020-14377 dpdk: write_back_data buffer over read (cipher->para.dst_data_len & desc->len) [fedora-all]↗2020-09-28

▶

Bugzilla

CVE-2020-14377 dpdk: write_back_data buffer over read (cipher->para.dst_data_len & desc->len)↗2020-09-16

▶