Source: virtualbox Version: 7.0.20-dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for virtualbox. CVE-2024-21248[0]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are Prior to 7.0.22 and prior to 7.1.2. Difficult to | exploit vulnerability allows low privileged attacker with logon to | the infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. While the vulnerability is in Oracle VM | VirtualBox, attacks may significantly impact additional products | (scope change). Successful attacks of this vulnerability can result | in unauthorized update, insert or delete access to some of Oracle | VM VirtualBox accessible data as well as unauthorized read access | to a subset of Oracle VM VirtualBox accessible data and unauthorized | ability to cause a partial denial of service (partial DOS) of Oracle | VM VirtualBox. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity | and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L). CVE-2024-21253[1]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are Prior to 7.0.22. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. Successful attacks of this vulnerability can result in | unauthorized ability to cause a partial denial of service (partial | DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21259[2]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are Prior to 7.0.22 and prior to 7.1.2. Difficult to | exploit vulnerability allows high privileged attacker with logon to | the infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. While the vulnerability is in Oracle VM | VirtualBox, attacks may significantly impact additional products | (scope change). Successful attacks of this vulnerability can result | in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 | (Confidentiality, Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2024-21263[3]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are Prior to 7.0.22 and prior to 7.1.2. Easily exploitable | vulnerability allows low privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle VM VirtualBox and | unauthorized read access to a subset of Oracle VM VirtualBox | accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and | Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). CVE-2024-21273[4]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are Prior to 7.0.22 and prior to 7.1.2. Easily exploitable | vulnerability allows high privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. While the vulnerability is in Oracle VM | VirtualBox, attacks may significantly impact additional products | (scope change). Successful attacks of this vulnerability can result | in unauthorized access to critical data or complete access to all | Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 | (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21248 https://www.cve.org/CVERecord?id=CVE-2024-21248 [1] https://security-tracker.debian.org/tracker/CVE-2024-21253 https://www.cve.org/CVERecord?id=CVE-2024-21253 [2] https://security-tracker.debian.org/tracker/CVE-2024-21259 https://www.cve.org/CVERecord?id=CVE-2024-21259 [3] https://security-tracker.debian.org/tracker/CVE-2024-21263 https://www.cve.org/CVERecord?id=CVE-2024-21263 [4] https://security-tracker.debian.org/tracker/CVE-2024-21273 https://www.cve.org/CVERecord?id=CVE-2024-21273 Regards, Salvatore
