CVE-2018-20023

moderate-risk

Published 2018-12-19

LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR

Do I need to act?

0.86% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (7)

Libvncserver

Debian Linux

Ubuntu Linux

Affected Vendors

Debian Canonical Libvnc Project

References (16)

Third Party Advisory https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18...

Mailing List https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html

https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html

https://security.gentoo.org/glsa/201908-05

Third Party Advisory https://usn.ubuntu.com/3877-1/

https://usn.ubuntu.com/4547-1/

https://usn.ubuntu.com/4587-1/

Third Party Advisory https://www.debian.org/security/2019/dsa-4383

Third Party Advisory https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18...

Mailing List https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html

https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html

https://security.gentoo.org/glsa/201908-05

Third Party Advisory https://usn.ubuntu.com/3877-1/

https://usn.ubuntu.com/4547-1/

https://usn.ubuntu.com/4587-1/

Third Party Advisory https://www.debian.org/security/2019/dsa-4383

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 14/34 · Moderate