CVE-2020-23793

Опубликовано: 22 авг. 2023

Источник: redhat

CVSS3: 7.4

Описание

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

A flaw was found in spice-server in Redhat's VDI product that can restart KVMvirtual machine without any authorization. A handshake is required before spice-server and spice-client can establish communication, and spice-client will send a request containing information that the server needs. This TCP request requires only host and port; A malformed TCP packet causes the vm to crash and the QEMu-KVM process to be restarted.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 6	spice-server	Out of support scope
Red Hat Enterprise Linux 7	spice	Out of support scope
Red Hat Enterprise Linux 8	spice	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2234984spice: Improper input validation in function async_READ_handler

7.4 High

CVSS3

Связанные уязвимости

CVE-2020-23793

CVSS3: 8.6

ubuntu

больше 2 лет назад

CVE-2020-23793

CVSS3: 8.6

nvd

больше 2 лет назад

CVE-2020-23793

CVSS3: 8.6

debian

больше 2 лет назад

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1. ...

GHSA-76gg-j5fc-hc83

CVSS3: 8.6

github

больше 2 лет назад

7.4 High

CVSS3