CVE-2020-8905Classic Buffer Overflow in LLC Asylo

CWE-120Classic Buffer Overflow3 documents3 sources
Severity
6.5MEDIUMNVD
CNA2.8
EPSS
0.1%
top 81.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google LLC AsyloGoogle Asylo
Timeline
PublishedAug 12
Latest updateMay 24

Description

A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The 'enc_untrusted_recvfrom' function generates a return value which is deserialized by 'MessageReader', and copied into three different 'extents'. The length of the third 'extents' is controlled by the outside world, and not verified on copy, allowing the attacker to force Asylo to copy trusted memory data into an untrusted buffer of significantly small lengt

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDgoogle/asylo< 0.6.0
CVEListV5google_llc/asylostable0.6.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-xr5f-j5gc-qw6j: A buffer length validation vulnerability in Asylo versions prior to 02022-05-24
CVEList
Confidential Information Disclosure vulnerability in Asylo2020-08-12
CVE-2020-8905 — Classic Buffer Overflow in LLC Asylo | cvebase