7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.012 Low
EPSS
Percentile
85.3%
Package : libvncserver
Version : 0.9.11+dfsg-1.3~deb9u5
CVE ID : CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400
CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404
CVE-2020-14405
Several minor vulnerabilities have been discovered in libvncserver, a
server and client implementation of the VNC protocol.
CVE-2019-20839
libvncclient/sockets.c in LibVNCServer had a buffer overflow via a
long socket filename.
CVE-2020-14397
libvncserver/rfbregion.c has a NULL pointer dereference.
CVE-2020-14399
Byte-aligned data was accessed through uint32_t pointers in
libvncclient/rfbproto.c.
NOTE: This issue has been disputed by third parties; there is
reportedly "no trust boundary crossed".
CVE-2020-14400
Byte-aligned data was accessed through uint16_t pointers in
libvncserver/translate.c.
NOTE: This issue has been disputed by third parties. There is no
known path of exploitation or cross of a trust boundary.
CVE-2020-14401
libvncserver/scale.c had a pixel_value integer overflow.
CVE-2020-14402
libvncserver/corre.c allowed out-of-bounds access via encodings.
CVE-2020-14403
libvncserver/hextile.c allowed out-of-bounds access via encodings.
CVE-2020-14404
libvncserver/rre.c allowed out-of-bounds access via encodings.
CVE-2020-14405
libvncclient/rfbproto.c did not limit TextChat size.
For Debian 9 stretch, these problems have been fixed in version
0.9.11+dfsg-1.3~deb9u5.
We recommend that you upgrade your libvncserver packages.
For the detailed security status of libvncserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvncserver
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
–
mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net
Attachment:
signature.asc
Description: PGP signature
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.012 Low
EPSS
Percentile
85.3%