Improper Initialization Vulnerability in LibVNC Affected by Multiple Versions
CVE-2018-20022

7.5HIGH

Key Information:

Vendor
Libvnc Project
Status
Libvnc
Vendor
CVE Published:
19 December 2018

Summary

LibVNC prior to a specific commit is vulnerable to improper initialization, allowing attackers to potentially read stack memory. This flaw can lead to information disclosure and may be exploited in conjunction with other vulnerabilities to bypass Address Space Layout Randomization (ASLR), exposing a deeper stack memory layout that can be leveraged for further attacks.

Affected Version(s)

LibVNC commit 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838

References

https://www.debian.org/security/2019/dsa-4383
vendor-advisoryx_refsource_DEBIAN
https://lists.debian.org/debian-lts-announce/2018/12/msg0...
mailing-listx_refsource_MLIST
https://ics-cert.kaspersky.com/advisories/klcert-advisori...
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.