CVE-2019-15681
high-risk
Published 2019-10-29
LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a.
Do I need to act?
~
6.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (14)
Affected Vendors
References (24)
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf
Third Party Advisory
https://usn.ubuntu.com/4407-1/
Third Party Advisory
https://usn.ubuntu.com/4547-1/
Third Party Advisory
https://usn.ubuntu.com/4573-1/
Third Party Advisory
https://usn.ubuntu.com/4587-1/
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf
and 4 more references
53
/ 100
high-risk
Severity
26/34 · High
Exploitability
9/34 · Low
Exposure
18/34 · Moderate