Source: virtualbox Version: 7.0.20-dfsg-1.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for virtualbox. CVE-2025-30712[0]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). The supported version that is | affected is 7.1.6. Easily exploitable vulnerability allows high | privileged attacker with logon to the infrastructure where Oracle VM | VirtualBox executes to compromise Oracle VM VirtualBox. While the | vulnerability is in Oracle VM VirtualBox, attacks may significantly | impact additional products (scope change). Successful attacks of | this vulnerability can result in unauthorized creation, deletion or | modification access to critical data or all Oracle VM VirtualBox | accessible data as well as unauthorized access to critical data or | complete access to all Oracle VM VirtualBox accessible data and | unauthorized ability to cause a partial denial of service (partial | DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 | (Confidentiality, Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). CVE-2025-30719[1]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). The supported version that is | affected is 7.1.6. Easily exploitable vulnerability allows low | privileged attacker with logon to the infrastructure where Oracle VM | VirtualBox executes to compromise Oracle VM VirtualBox. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of Oracle | VM VirtualBox and unauthorized read access to a subset of Oracle VM | VirtualBox accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality | and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). CVE-2025-30725[2]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). The supported version that is | affected is 7.1.6. Difficult to exploit vulnerability allows high | privileged attacker with logon to the infrastructure where Oracle VM | VirtualBox executes to compromise Oracle VM VirtualBox. While the | vulnerability is in Oracle VM VirtualBox, attacks may significantly | impact additional products (scope change). Successful attacks of | this vulnerability can result in unauthorized ability to cause a | hang or frequently repeatable crash (complete DOS) of Oracle VM | VirtualBox as well as unauthorized update, insert or delete access | to some of Oracle VM VirtualBox accessible data and unauthorized | read access to a subset of Oracle VM VirtualBox accessible data. | CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30712 https://www.cve.org/CVERecord?id=CVE-2025-30712 [1] https://security-tracker.debian.org/tracker/CVE-2025-30719 https://www.cve.org/CVERecord?id=CVE-2025-30719 [2] https://security-tracker.debian.org/tracker/CVE-2025-30725 https://www.cve.org/CVERecord?id=CVE-2025-30725 Regards, Salvatore
