Overview
- Description
- In Morgan Stanley Hobbes through 2020-05-21, the array implementation lacks bounds checking, allowing exploitation of an out-of-bounds (OOB) read/write vulnerability that leads to both local and remote code (via RPC) execution.
- Source
- cve@mitre.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
Weaknesses
- nvd@nist.gov
- CWE-125
Social media
- Hype score
- Not currently trending
Vendor comments
- Morgan StanleyThe issue outlined in the CVE has been addressed in the latest release of Hobbes as of September 29, 2020. More information on the usage of Hobbes is detailed in the README.md of the project at https://github.com/Morgan-Stanley/hobbes
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:morganstanley:hobbes:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3C52C517-2A72-4B64-8F9F-6BE2A911B37B",
"versionEndIncluding": "2020-05-21"
}
],
"operator": "OR"
}
]
}
]