6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
77.1%
Severity: Critical
Date : 2021-07-06
CVE-ID : CVE-2020-14355 CVE-2021-20201
Package : spice
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1239
The package spice before version 0.15.0-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Upgrade to 0.15.0-1.
The problems have been fixed upstream in version 0.15.0.
None.
Multiple buffer overflow vulnerabilities were found in the QUIC image
decoding process of the SPICE remote display system. More specifically,
these flaws reside in the spice-common shared code between the client
and server of SPICE. In other words, both the client (spice-gtk) and
server are affected by these flaws. A malicious client or server could
send specially crafted messages which could result in a process crash
or potential code execution scenario. The issues have been fixed in
spice (server) version 0.14.90 and spice-gtk (client) version 0.39.
An issue was discovered in SPICE server before version 0.15.0. There is
a vulnerability which might make it easier for remote attackers to
cause a denial of service (CPU consumption) by performing many
renegotiations within a single connection.
A remote attacker could execute arbitrary code on the SPICE server
using crafted messages, or cause high CPU consumption by performing
many renegotiations.
https://bugs.archlinux.org/task/68166
https://www.openwall.com/lists/oss-security/2020/10/06/10
https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0abae36033ccde658fd52d3235887b60862d
https://gitlab.freedesktop.org/spice/spice-common/-/commit/404d74782c8b5e57d146c5bf3118bb41bf3378e4
https://gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206
https://gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b66b86e601c725d30f00c37e684b6395b6
https://gitlab.freedesktop.org/spice/spice/-/commit/4f71d0cdb79d2f61da49d439a5b72e3ce0070313
https://gitlab.freedesktop.org/spice/spice-gtk/-/commit/df0d3f9d95fe8235b95fa291feb746ba5e3bd6aa
https://bugzilla.redhat.com/show_bug.cgi?id=1921846
https://gitlab.freedesktop.org/spice/spice/-/issues/49
https://gitlab.freedesktop.org/spice/spice/-/merge_requests/150
https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9
https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749
https://security.archlinux.org/CVE-2020-14355
https://security.archlinux.org/CVE-2021-20201
bugs.archlinux.org/task/68166
bugzilla.redhat.com/show_bug.cgi?id=1921846
gitlab.freedesktop.org/spice/spice-common/-/commit/404d74782c8b5e57d146c5bf3118bb41bf3378e4
gitlab.freedesktop.org/spice/spice-common/-/commit/762e0abae36033ccde658fd52d3235887b60862d
gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b66b86e601c725d30f00c37e684b6395b6
gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206
gitlab.freedesktop.org/spice/spice-gtk/-/commit/df0d3f9d95fe8235b95fa291feb746ba5e3bd6aa
gitlab.freedesktop.org/spice/spice/-/commit/4f71d0cdb79d2f61da49d439a5b72e3ce0070313
gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9
gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749
gitlab.freedesktop.org/spice/spice/-/issues/49
gitlab.freedesktop.org/spice/spice/-/merge_requests/150
security.archlinux.org/AVG-1239
security.archlinux.org/CVE-2020-14355
security.archlinux.org/CVE-2021-20201
www.openwall.com/lists/oss-security/2020/10/06/10
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
77.1%