CVE-2020-14355

moderate-risk

Published 2020-10-07

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.

Do I need to act?

1.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.6/10 Medium

NETWORK / LOW complexity

Affected Products (15)

Spice

Openstack

Ubuntu Linux

Debian Linux

Leap

Enterprise Linux

Enterprise Linux Aus

Enterprise Linux Eus

Enterprise Linux Tus

Enterprise Linux Update Services For Sap Solutions

Affected Vendors

Debian Redhat Canonical Opensuse Spice Project

References (18)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00000.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00001.html

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1868435

Mailing List https://lists.debian.org/debian-lts-announce/2020/11/msg00001.html

Mailing List https://lists.debian.org/debian-lts-announce/2020/11/msg00002.html

Third Party Advisory https://usn.ubuntu.com/4572-1/

Third Party Advisory https://usn.ubuntu.com/4572-2/

Third Party Advisory https://www.debian.org/security/2020/dsa-4771

Mailing List https://www.openwall.com/lists/oss-security/2020/10/06/10