CVE-2019-15692
Published: 26 December 2019
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow. Vulnerability could be triggered from CopyRectDecoder due to incorrect value checks. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Priority
Status
Package | Release | Status |
---|---|---|
tigervnc Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(1.10.1+dfsg-1)
|
|
groovy |
Not vulnerable
(1.10.1+dfsg-1)
|
|
hirsute |
Not vulnerable
(1.10.1+dfsg-1)
|
|
impish |
Not vulnerable
(1.10.1+dfsg-1)
|
|
jammy |
Not vulnerable
(1.10.1+dfsg-1)
|
|
kinetic |
Not vulnerable
(1.10.1+dfsg-1)
|
|
lunar |
Not vulnerable
(1.10.1+dfsg-1)
|
|
mantic |
Not vulnerable
(1.10.1+dfsg-1)
|
|
noble |
Not vulnerable
(1.10.1+dfsg-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.10.1+dfsg-1)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.2 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | High |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.openwall.com/lists/oss-security/2019/12/20/2
- https://github.com/TigerVNC/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821 (master)
- https://github.com/TigerVNC/tigervnc/commit/ff08ca78b24b5a4ed5263245c7ce8744059ff4ad (v1.10.1)
- https://github.com/CendioOssman/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821
- https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1
- https://www.cve.org/CVERecord?id=CVE-2019-15692
- NVD
- Launchpad
- Debian