Vulnerability Details : CVE-2018-20022
LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR
Vulnerability category: Information leak
Products affected by CVE-2018-20022
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:a:libvnc_project:libvncserver:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-20022
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-20022
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-20022
-
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-20022
-
https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
[SECURITY] [DLA 1617-1] libvncserver security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
[SECURITY] [DLA 2016-1] ssvnc security update
-
https://security.gentoo.org/glsa/202006-06
ssvnc: Multiple vulnerabilities (GLSA 202006-06) — Gentoo security
-
https://usn.ubuntu.com/4587-1/
USN-4587-1: iTALC vulnerabilities | Ubuntu security notices | Ubuntu
-
https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
[SECURITY] [DLA 2045-1] tightvnc security update
-
https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
[SECURITY] [DLA 1979-1] italc security update
-
https://www.debian.org/security/2019/dsa-4383
Debian -- Security Information -- DSA-4383-1 libvncserverThird Party Advisory
-
https://security.gentoo.org/glsa/201908-05
LibVNCServer: Multiple vulnerabilities (GLSA 201908-05) — Gentoo security
-
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-032-libvnc-multiple-memory-leaks/
KLCERT-18-032: LibVNC Multiple Memory Leaks | Kaspersky Lab ICS CERTThird Party Advisory
-
https://usn.ubuntu.com/4547-1/
USN-4547-1: iTALC vulnerabilities | Ubuntu security notices | Ubuntu
-
https://usn.ubuntu.com/3877-1/
USN-3877-1: LibVNCServer vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/4547-2/
Jump to