Vulnerability DatabaseCVE-2020-8904
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-8904
August 12, 2020
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (enclave) memory. We recommend updating Asylo to version 0.6.0 or later.
Related Resources (1)
https://github.com/google/asylo/commit/e582f36ac49ee11a21d23ad6a30c333092e0a94e
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
LOW
Subsequent System Availability
HIGH
CVSS v3
Base Score:
6.4
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
HIGH
CVSS v2
Base Score:
5.5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Use of Out-of-range Pointer Offset
CWE-823
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-119
EPSS
Base Score:
0.06