Vulnerability Description
This vulnerability allows local attackers to disclose information on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the prl_hypervisor kext. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-11302.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parallels | Parallels Desktop | < 16.0.0 |
Related Weaknesses (CWE)
References
- https://kb.parallels.com/en/125013Vendor Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-20-1016/Third Party AdvisoryVDB Entry
- https://kb.parallels.com/en/125013Vendor Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-20-1016/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2020-17398?
CVE-2020-17398 is a vulnerability with a CVSS score of 6.5 (MEDIUM). This vulnerability allows local attackers to disclose information on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute low-privileged code on the...
How severe is CVE-2020-17398?
CVE-2020-17398 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-17398?
Check the references section above for vendor advisories and patch information. Affected products include: Parallels Parallels Desktop.