CVE-2020-3999

CWE-20Improper Input ValidationCWE-476NULL Pointer Dereference5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 71.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Vmware FusionVmware WorkstationVmware Esxi
Timeline
PublishedDec 21
Latest updateMay 24

Description

VMware ESXi (7.0 prior to ESXi70U1c-17325551), VMware Workstation (16.x prior to 16.0 and 15.x prior to 15.5.7), VMware Fusion (12.x prior to 12.0 and 11.x prior to 11.5.7) and VMware Cloud Foundation contain a denial of service vulnerability due to improper input validation in GuestInfo. A malicious actor with normal user privilege access to a virtual machine can crash the virtual machine's vmx process leading to a denial of service condition.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

NVDvmware/fusion11.5.011.5.7
NVDvmware/workstation15.0.015.5.7
NVDvmware/esxi7.0

Patches

Patch: www.vmware.comPatch: www.vmware.com

🔴Vulnerability Details

2
GHSA
GHSA-x697-2xrm-fh6r: VMware ESXi (72022-05-24
CVEList
CVE-2020-3999: VMware ESXi (72020-12-21

💥Exploits & PoCs

1
Exploit-DB
Druva inSync Windows Client 6.5.2 - Local Privilege Escalation2020-04-29

📋Vendor Advisories

1
VMware
VMware ESXi, Workstation, Fusion and Cloud Foundation updates address a denial of service vulnerability (CVE-2020-3999)2020-12-17
CVE-2020-3999 (MEDIUM CVSS 6.5) | VMware ESXi (7.0 prior to ESXi70U1c | cvebase.io