Lucene search

[email protected]CVE-2019-15691

HistoryDec 26, 2019 - 3:15 p.m.

CVE-2019-15691

2019-12-2615:15:11

CWE-672

CWE-825

[email protected]

web.nvd.nist.gov

129

tigervnc

cve-2019-15691

stack use-after-return

vulnerability

remote code execution

network connectivity

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

79.2%

JSON

TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Affected configurations

NVD

Node

tigervnctigervncRange<1.10.1

Node

opensuseleapMatch15.1

CPENameOperatorVersion
tigervnc:tigervnctigervnclt1.10.1

CPE	Name	Operator	Version
tigervnc:tigervnc	tigervnc	lt	1.10.1

CNA Affected

[
  {
    "product": "TigerVNC",
    "vendor": "Kaspersky",
    "versions": [
      {
        "status": "affected",
        "version": "1.10.0"
      }
    ]
  }
]