CVE-2018-20021

Published: 19 December 2018

LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM

Priority

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package	Release	Status
italc Launchpad, Ubuntu, Debian	impish	Does not exist
	jammy	Does not exist
	focal	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	bionic	Released (1:3.0.3+dfsg1-3ubuntu0.1)
	groovy	Does not exist
	hirsute	Does not exist
	trusty	Does not exist (trusty was needed)
	upstream	Released (1:3.0.3+dfsg1-1+deb9u1, 1:2.0.2+dfsg1-2+deb8u1)
	xenial	Released (1:2.0.2+dfsg1-4ubuntu0.1)
	mantic	Does not exist
tightvnc Launchpad, Ubuntu, Debian	impish	Ignored (end of life)
	hirsute	Ignored (end of life)
	jammy	Needs triage
	xenial	Needs triage
	kinetic	Ignored (end of life, was needs-triage)
	trusty	Released (1.3.9-6.5+deb8u1build0.14.04.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	lunar	Needs triage
	bionic	Needs triage
	focal	Needs triage
	groovy	Ignored (end of life)
	upstream	Released (1:1.3.9-6.5+deb8u1)
	mantic	Needs triage
libvncserver Launchpad, Ubuntu, Debian	jammy	Not vulnerable (0.9.11+dfsg-1.2)
	kinetic	Not vulnerable (0.9.11+dfsg-1.2)
	lunar	Not vulnerable (0.9.11+dfsg-1.2)
	trusty	Released (0.9.9+dfsg-1ubuntu1.4)
	bionic	Released (0.9.11+dfsg-1ubuntu1.1)
	cosmic	Released (0.9.11+dfsg-1.1ubuntu0.1)
	disco	Not vulnerable (0.9.11+dfsg-1.2)
	focal	Not vulnerable (0.9.11+dfsg-1.2)
	groovy	Not vulnerable (0.9.11+dfsg-1.2)
	hirsute	Not vulnerable (0.9.11+dfsg-1.2)
	impish	Not vulnerable (0.9.11+dfsg-1.2)
	upstream	Released (0.9.11+dfsg-1.2)
	xenial	Released (0.9.10+dfsg-3ubuntu0.16.04.3)
	mantic	Not vulnerable (0.9.11+dfsg-1.2)
	Patches: upstream: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
ssvnc Launchpad, Ubuntu, Debian	jammy	Not vulnerable (1.0.29-5)
	kinetic	Not vulnerable (1.0.29-5)
	lunar	Not vulnerable (1.0.29-5)
	bionic	Needed
	focal	Not vulnerable (1.0.29-5)
	groovy	Not vulnerable (1.0.29-5)
	hirsute	Not vulnerable (1.0.29-5)
	impish	Not vulnerable (1.0.29-5)
	trusty	Does not exist (trusty was needed)
	upstream	Released (1.0.29-2+deb8u1, 1.0.29-3+deb9u1, 1.0.29-4+deb10u1, 1.0.29-5)
	xenial	Released (1.9.29-2+deb8u1build0.16.04.1)
	mantic	Not vulnerable (1.0.29-5)
x11vnc Launchpad, Ubuntu, Debian	jammy	Not vulnerable (uses shared libvnc)
	kinetic	Not vulnerable (uses shared libvnc)
	lunar	Not vulnerable (uses shared libvnc)
	bionic	Not vulnerable (uses shared libvnc)
	cosmic	Ignored (end of life)
	disco	Not vulnerable (uses shared libvnc)
	focal	Not vulnerable (uses shared libvnc)
	groovy	Not vulnerable (uses shared libvnc)
	hirsute	Not vulnerable (uses shared libvnc)
	impish	Not vulnerable (uses shared libvnc)
	trusty	Not vulnerable (uses shared libvnc)
	upstream	Needs triage
	xenial	Not vulnerable (uses shared libvnc)
	mantic	Not vulnerable (uses shared libvnc)

Severity score breakdown

Parameter	Value
Base score	7.5
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›