Vulnerability Details : CVE-2013-4130
The (1) red_channel_pipes_add_type and (2) red_channel_pipes_add_empty_msg functions in server/red_channel.c in SPICE before 0.12.4 do not properly perform ring loops, which might allow remote attackers to cause a denial of service (reachable assertion and server exit) by triggering a network error.
Vulnerability category: Denial of service
Products affected by CVE-2013-4130
- cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:*:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:spice_project:spice:0.5.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4130
1.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4130
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-4130
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4130
-
http://www.ubuntu.com/usn/USN-1926-1
USN-1926-1: SPICE vulnerability | Ubuntu security notices
-
http://seclists.org/oss-sec/2013/q3/115
oss-sec: Re: CVE Request -- spice: unsafe clients ring access abort
-
http://rhn.redhat.com/errata/RHSA-2013-1260.html
RHSA-2013:1260 - Security Advisory - Red Hat Customer Portal
-
http://cgit.freedesktop.org/spice/spice/commit/?id=53488f0275d6c8a121af49f7ac817d09ce68090d
spice/spice - Unnamed repository; edit this file to name it for gitweb. (mirrored from https://gitlab.freedesktop.org/spice/spice)Patch
-
https://bugzilla.redhat.com/show_bug.cgi?id=984769
984769 – (CVE-2013-4130) CVE-2013-4130 spice: unsafe clients ring access abort
-
http://www.debian.org/security/2014/dsa-2839
Debian -- Security Information -- DSA-2839-1 spice
Jump to