Vulnerability in spice-client Affects Users of Spice-GTK Software
CVE-2017-12194

9.8CRITICAL

Key Information:

Vendor

Freedesktop.org

Status
Spice-gtk
Vendor
CVE Published:
14 March 2018

What is CVE-2017-12194?

A vulnerability exists in spice-client due to improper processing of messages sent from a malicious spice-server. An attacker with control over the server can exploit this issue to crash the client application or execute arbitrary code with the privileges of the end user. Users of spice-gtk versions up to 0.34 are advised to update their software to mitigate potential risks associated with this vulnerability.

Affected Version(s)

spice-gtk through 0.34

References

https://security.gentoo.org/glsa/201811-20
vendor-advisoryx_refsource_GENTOO
https://usn.ubuntu.com/3659-1/
vendor-advisoryx_refsource_UBUNTU
https://bugzilla.redhat.com/show_bug.cgi?id=1501200
x_refsource_CONFIRM

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.