CVE-2017-7506

high-risk

Published 2017-07-18

spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak.

Do I need to act?

0.88% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (20)

Spice

Affected Vendors

Spice Project

References (12)

http://www.debian.org/security/2017/dsa-3907

Mailing List http://www.openwall.com/lists/oss-security/2017/07/14/1

Third Party Advisory http://www.securityfocus.com/bid/99583

https://access.redhat.com/errata/RHSA-2017:2471

https://access.redhat.com/errata/RHSA-2018:3522

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1452606

http://www.debian.org/security/2017/dsa-3907

Mailing List http://www.openwall.com/lists/oss-security/2017/07/14/1

Third Party Advisory http://www.securityfocus.com/bid/99583

https://access.redhat.com/errata/RHSA-2017:2471

https://access.redhat.com/errata/RHSA-2018:3522

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1452606

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 3/34 · Minimal

Exposure 22/34 · High