CVE-2020-14355
spice: multiple buffer overflow vulnerabilities in QUIC decoding code
Severity Score
Exploit Likelihood
Affected Versions
15Public Exploits
0Exploited in Wild
-Decision
Descriptions
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
Se encontraron múltiples vulnerabilidades de desbordamiento de búfer en el proceso de decodificación de imágenes QUIC del sistema de visualización remota SPICE, versiones anteriores a spice-0.14.2-1. Tanto el cliente SPICE (spice-gtk) como el servidor están afectados por estos defectos. Estos fallos permiten a un cliente o servidor malicioso enviar mensajes especialmente diseñados que, cuando son procesados ??por el algoritmo de compresión de imágenes QUIC, resulta en un bloqueo del proceso o una posible ejecución de código
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. The spice-gtk packages provide a GIMP Toolkit widget for Simple Protocol for Independent Computing Environments clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol. Issues addressed include a buffer overflow vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-17 CVE Reserved
- 2020-10-06 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2020/1... | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2020/1... | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1868435 | 2020-10-06 | |
| https://www.openwall.com/lists/oss-security/2020/10/06/10 | 2023-11-09 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-... | 2023-11-09 | |
| http://lists.opensuse.org/opensuse-security-announce/2020-... | 2023-11-09 | |
| https://usn.ubuntu.com/4572-1 | 2023-11-09 | |
| https://usn.ubuntu.com/4572-2 | 2023-11-09 | |
| https://www.debian.org/security/2020/dsa-4771 | 2023-11-09 | |
| https://access.redhat.com/security/cve/CVE-2020-14355 | 2020-10-06 |