Vulnerability in Oracle VM VirtualBox Could Allow Low-Privileged Attackers to Compromise the Product

CVE-2023-21987

7.8HIGH

Key Information

Vendor: Oracle
Status: Vm Virtualbox
Vendor: CVE Published:; 18 April 2023

Badges

👾 Exploit Exists🔴 Public PoC

Summary

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.44 and Prior to 7.0.8. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Affected Version(s)

VM VirtualBox < 6.1.44

VM VirtualBox < 7.0.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2023-21987-poc
Created by chunzhennn

Refferences

https://www.oracle.com/security-alerts/cpuapr2023.html

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

🔴
Public PoC available
Sep 24, 2024
👾
Exploit known to exist
Sep 24, 2024
Vulnerability published
Apr 18, 2023
Vulnerability Reserved
Dec 17, 2022

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)