Parallels Desktop
CVE-2020-17401
MEDIUM
Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
This vulnerability allows local attackers to disclose sensitive informations on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VGA virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated array. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-11363.
AnalysisAI
This vulnerability allows local attackers to disclose sensitive informations on affected installations of Parallels Desktop 15.1.4. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-129. This vulnerability allows local attackers to disclose sensitive informations on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VGA virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated array. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-11363. Affected products include: Parallels Parallels Desktop.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Parallels Desktop
View allDirectory traversal vulnerability in Parallels Desktop for Mac version 20.2.2 (build 55879) affecting the PVMP package u
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) where the snapshot function
Privilege escalation vulnerability in Parallels Desktop for Mac 20.1.1 that allows a local attacker with user-level priv
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot dele
Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. R
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Deskt
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-4
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today