Out-of-bounds read vulnerability in the Message Framework library
Horizon 6, 7, Horizon Agent, and Horizon Client for Windows contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed.
Note: This issue doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.
VMware would like to thank Steven Seeley (mr_me) of Source Incite working with Trend Micro's Zero Day Initiative for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6970 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.