Input validation error in SPICE - CVE-2016-9578
Published: July 27, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31250
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-9578
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SPICE
Affected software:
SPICE
SPICE
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash.
How to mitigate CVE-2016-9578
Install update from vendor's website.
Sources
- http://rhn.redhat.com/errata/RHSA-2017-0253.html
- http://rhn.redhat.com/errata/RHSA-2017-0549.html
- http://www.securityfocus.com/bid/96118
- https://access.redhat.com/errata/RHSA-2017:0254
- https://access.redhat.com/errata/RHSA-2017:0552
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9578
- https://www.debian.org/security/2017/dsa-3790