CVE-2020-3990
moderate-risk
Published 2020-09-16
VMware Workstation (15.x) and Horizon Client for Windows (5.x before 5.4.4) contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Do I need to act?
-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (3)
Affected Vendors
References (2)
Vendor Advisory
https://www.vmware.com/security/advisories/VMSA-2020-0020.html
Vendor Advisory
https://www.vmware.com/security/advisories/VMSA-2020-0020.html
30
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
0/34 · Minimal
Exposure
9/34 · Low