CVE-2020-8871
published 2020-03-23CVE-2020-8871: This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.0-47107 . An attacker must first obtain…
PriorityP431medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EPSS
0.61%
44.9th percentile
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.0-47107 . An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VGA virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-9403.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnome | libcroco | >= 0 < 0.6.13-1ubuntu0.1 | 0.6.13-1ubuntu0.1 |
| gnome | libcroco | >= 0 < 0.6.8-2ubuntu1+esm1 | 0.6.8-2ubuntu1+esm1 |
| gnome | libcroco | >= 0 < 0.6.11-1ubuntu0.1~esm1 | 0.6.11-1ubuntu0.1~esm1 |
| gnome | libcroco | >= 0 < 0.6.12-2ubuntu0.1~esm1 | 0.6.12-2ubuntu0.1~esm1 |
| parallels | desktop | — | — |
| parallels | parallels_desktop | < 15.1.3 | 15.1.3 |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.2HIGHCVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libcroco vulnerabilities
osv·2024-08-13·CVSS 5.5
CVE-2017-7960 libcroco vulnerabilities
libcroco vulnerabilities
It was discovered that Libcroco was incorrectly accessing data structures
when reading bytes from memory, which could cause a heap buffer overflow.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8
values when processing CSS files. An attacker could possibly use this
issue to cause a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in
one of its parsing functions, which could cause an infinite recursion
loop and a stack overflow due to stack consumption. An attacker could
possibly use this issue to cause a denial of service. (CVE-2020-12825)
GHSA
GHSA-rmp8-cm96-7qjh: This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15
ghsa_unreviewed·2022-05-24
CVE-2020-8871 [MEDIUM] GHSA-rmp8-cm96-7qjh: This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.0-47107 . An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VGA virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-9403.
OSV
libcroco vulnerabilities
osv·2022-04-26·CVSS 5.5
CVE-2017-7960 libcroco vulnerabilities
libcroco vulnerabilities
It was discovered that Libcroco was incorrectly accessing data structures when
reading bytes from memory, which could cause a heap buffer overflow. An attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8 values
when processing CSS files. An attacker could possibly use this issue to cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of service. (CVE-2020-12825)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-23
Published