CVE-2018-20021

moderate-risk
Published 2018-12-19

LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM

Do I need to act?

~
2.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Debian Canonical Libvnc Project

References (24)

Third Party Advisory https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18...
Mailing List https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
https://security.gentoo.org/glsa/201908-05
https://security.gentoo.org/glsa/202006-06
Third Party Advisory https://usn.ubuntu.com/3877-1/
https://usn.ubuntu.com/4547-1/
https://usn.ubuntu.com/4547-2/
https://usn.ubuntu.com/4587-1/
Third Party Advisory https://www.debian.org/security/2019/dsa-4383
Third Party Advisory https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18...
Mailing List https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
https://security.gentoo.org/glsa/201908-05
https://security.gentoo.org/glsa/202006-06
Third Party Advisory https://usn.ubuntu.com/3877-1/
and 4 more references
46
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 6/34 · Minimal
Exposure 14/34 · Moderate