7.8

CVE-2020-10027

ARC Platform Uses Signed Integer Comparison When Validating Syscall Numbers

An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZephyrprojectZephyr Version1.14.0
ZephyrprojectZephyr Version2.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.69% 0.478
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
vulnerabilities@zephyrproject.org 7.8 1.1 6
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-697 Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect.

https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10027
https://github.com/zephyrproject-rtos/zephyr/pull/23328
Patch
Third Party Advisory
https://github.com/zephyrproject-rtos/zephyr/pull/23499
Patch
Third Party Advisory
https://github.com/zephyrproject-rtos/zephyr/pull/23500
Patch
Third Party Advisory
https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-35
Third Party Advisory