6.6

CVE-2020-14355

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.

Data is provided by the National Vulnerability Database (NVD)
Spice ProjectSpice Version < 0.14.2
RedhatOpenstack Version16.1
CanonicalUbuntu Linux Version14.04 SwEditionesm
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version20.04 SwEditionlts
DebianDebian Linux Version9.0
OpensuseLeap Version15.2
RedhatEnterprise Linux Version6.0
RedhatEnterprise Linux Version7.0
RedhatEnterprise Linux Version8.0
RedhatEnterprise Linux Aus Version8.2
RedhatEnterprise Linux Eus Version8.1
RedhatEnterprise Linux Tus Version8.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.63% 0.813
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.6 2.3 3.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

https://bugzilla.redhat.com/show_bug.cgi?id=1868435
Patch
Vendor Advisory
Issue Tracking
https://usn.ubuntu.com/4572-1/
Third Party Advisory
https://usn.ubuntu.com/4572-2/
Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/10/06/10
Patch
Third Party Advisory
Mailing List