CVE-2020-8937

CWE-120 — Classic Buffer Overflow CWE-787 — Out-of-bounds Write3 documents3 sources

Severity

3.3LOW

EPSS

0.0%

top 95.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google LLC Asylo Google Asylo

Timeline

PublishedDec 15

Latest updateMay 24

Description

An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allows an attacker to make a host call to enc_untrusted_create_wait_queue that uses a pointer queue that relies on UntrustedLocalMemcpy, which fails to validate where the pointer is located. This allows an attacker to write memory values from within the enclave. We recommend upgrading past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 1.0 | Impact: 4.2

Affected Packages2 packages

▶NVDgoogle/asylo0.6.0

▶CVEListV5google_llc/asylo0.6.0 — 0.6.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-wv62-pfmm-x787: An arbitrary memory overwrite vulnerability in Asylo versions up to 0↗2022-05-24

▶

CVEList

Arbitrary enclave memory location write from untrusted environment↗2020-12-15

▶