CVE-2020-8904

CWE-823CWE-119Buffer Overflow3 documents3 sources
Severity
9.6CRITICAL
EPSS
0.1%
top 81.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google LLC AsyloGoogle Asylo
Timeline
PublishedAug 12
Latest updateMay 24

Description

An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (enclave) memory. We recommend updating Asylo to version 0.6.0 or later.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:HExploitability: 1.1 | Impact: 4.7

Affected Packages2 packages

NVDgoogle/asylo< 0.6.0
CVEListV5google_llc/asylostable0.6.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-pc43-829f-g5gr: An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 02022-05-24
CVEList
Arbitrary trusted memory overwrite vulnerability in Asylo2020-08-12
CVE-2020-8904 (CRITICAL CVSS 9.6) | An arbitrary memory overwrite vulne | cvebase.io