- Description
- In Morgan Stanley Hobbes through 2020-05-21, the array implementation lacks bounds checking, allowing exploitation of an out-of-bounds (OOB) read/write vulnerability that leads to both local and remote code (via RPC) execution.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
- nvd@nist.gov
- CWE-125
- Hype score
- Not currently trending
- Morgan StanleyThe issue outlined in the CVE has been addressed in the latest release of Hobbes as of September 29, 2020. More information on the usage of Hobbes is detailed in the README.md of the project at https://github.com/Morgan-Stanley/hobbes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:morganstanley:hobbes:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3C52C517-2A72-4B64-8F9F-6BE2A911B37B",
"versionEndIncluding": "2020-05-21"
}
],
"operator": "OR"
}
]
}
]