CVE-2020-2748

Name of the Vulnerable Software and Affected Versions Oracle VM VirtualBox versions prior to 5.2.40 Oracle VM VirtualBox versions prior to 6.0.20 Oracle VM VirtualBox versions prior to 6.1.6

Description The issue is related to the Oracle VM VirtualBox product, specifically the Core component. It allows a high-privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox, potentially resulting in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. The vulnerability may significantly impact additional products. The vmsvgaR3FifoUpdateCursor function of the virtual machine is associated with a lack of protection of service data, which can be exploited to gain unauthorized access to protected information.

Recommendations For versions prior to 5.2.40, update to version 5.2.40 or later. For versions prior to 6.0.20, update to version 6.0.20 or later. For versions prior to 6.1.6, update to version 6.1.6 or later. As a temporary workaround, consider restricting access to the vmsvgaR3FifoUpdateCursor function until a patch is available.