{"id":"MGASA-2023-0335","summary":"Updated virtualbox packages fix security vulnerabilities and other bugs","details":"This update fixes several security issues and other bugs, among them:\n\nVulnerability in the Oracle VM VirtualBox product of Oracle\nVirtualization (component: Core). Supported versions that are affected\nare Prior to 7.0.12. Easily exploitable vulnerability allows high\nprivileged attacker with logon to the infrastructure where Oracle VM\nVirtualBox executes to compromise Oracle VM VirtualBox. While the\nvulnerability is in Oracle VM VirtualBox, attacks may significantly\nimpact additional products (scope change). Successful attacks of this\nvulnerability can result in unauthorized ability to cause a hang or\nfrequently repeatable crash (complete DOS) of Oracle VM VirtualBox as\nwell as unauthorized update, insert or delete access to some of Oracle\nVM VirtualBox accessible data and unauthorized read access to a subset\nof Oracle VM VirtualBox accessible data. Note: Only applicable to 7.0.x\nplatform. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and\nAvailability impacts).\nCVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H).\n(CVE-2023-22098)\n\nVulnerability in the Oracle VM VirtualBox product of Oracle\nVirtualization (component: Core). Supported versions that are affected\nare Prior to 7.0.12. Easily exploitable vulnerability allows high\nprivileged attacker with logon to the infrastructure where Oracle VM\nVirtualBox executes to compromise Oracle VM VirtualBox. While the\nvulnerability is in Oracle VM VirtualBox, attacks may significantly\nimpact additional products (scope change). Successful attacks of this\nvulnerability can result in takeover of Oracle VM VirtualBox. Note: Only\napplicable to 7.0.x platform. CVSS 3.1 Base Score 8.2 (Confidentiality,\nIntegrity and Availability impacts).\nCVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).\n(CVE-2023-22099)\n\nVulnerability in the Oracle VM VirtualBox product of Oracle\nVirtualization (component: Core). Supported versions that are affected\nare Prior to 7.0.12. Easily exploitable vulnerability allows high\nprivileged attacker with logon to the infrastructure where Oracle VM\nVirtualBox executes to compromise Oracle VM VirtualBox. While the\nvulnerability is in Oracle VM VirtualBox, attacks may significantly\nimpact additional products (scope change). Successful attacks of this\nvulnerability can result in unauthorized access to critical data or\ncomplete access to all Oracle VM VirtualBox accessible data and\nunauthorized ability to cause a hang or frequently repeatable crash\n(complete DOS) of Oracle VM VirtualBox. Note: Only applicable to 7.0.x\nplatform. CVSS 3.1 Base Score 7.9 (Confidentiality and Availability\nimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H).\n(CVE-2023-22100)\n\nWARNING\nVirtualBox 7.0.12 and Windows guest additions between (not incl)\n7.0.10 & 7.0.13r160164 are problematic for Windows guests less than\nWin10 https://bugs.mageia.org/show_bug.cgi?id=32587\n","modified":"2026-04-16T04:42:22.848425224Z","published":"2023-12-04T08:28:24Z","upstream":["CVE-2023-22098","CVE-2023-22099","CVE-2023-22100"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0335.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32490"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32587"},{"type":"WEB","url":"https://www.virtualbox.org/wiki/Changelog-7.0#v12"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixOVIR"}],"affected":[{"package":{"name":"virtualbox","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/virtualbox?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.12-2.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0335.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.12-38.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0335.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}