CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.1%
A heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity (CVE-2018-6307). A heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity (CVE-2018-15126). A heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity (CVE-2018-15127). Multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution (CVE-2018-20019). Heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution (CVE-2018-20020). Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM (CVE-2018-20021). Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR (CVE-2018-20022). Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR (CVE-2018-20023). A null pointer dereference in VNC client code, which can result in DoS (CVE-2018-20024).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 6 | noarch | libvncserver | < 0.9.12-1 | libvncserver-0.9.12-1.mga6 |
Mageia | 6 | noarch | x11vnc | < 0.9.16-1 | x11vnc-0.9.16-1.mga6 |
bugs.mageia.org/show_bug.cgi?id=24177
github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12
github.com/LibVNC/x11vnc/releases/tag/0.9.15
github.com/LibVNC/x11vnc/releases/tag/0.9.16
lists.debian.org/debian-lts-announce/2018/12/msg00017.html
lists.opensuse.org/opensuse-updates/2019-01/msg00027.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.1%