CVE-2020-14377

30.09.2020, 19:15

A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attacker in a virtual machine to read significant amounts of host memory. The highest threat from this vulnerability is to data confidentiality and system availability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Vendor	Product	Version
dpdk	data_plane_development_kit	18.02.1 ≤ 𝑥 < 18.11.10
dpdk	data_plane_development_kit	19.02 ≤ 𝑥 < 19.11.5
canonical	ubuntu_linux	20.04
opensuse	leap	15.1
opensuse	leap	15.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dpdk

bullseye	20.11.10-1~deb11u1 fixed
stretch	not-affected
bullseye (security)	20.11.6-1~deb11u1 fixed
bookworm	22.11.5-1~deb12u1 fixed
sid	23.11.2-2 fixed
trixie	23.11.2-2 fixed