Input validation error in Vino - CVE-2011-1165
Published: March 13, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU43008
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-1165
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Gnome Development Team
Affected software:
Vino
Vino
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vino, possibly before 3.2, does not properly document that it opens ports in UPnP routers when the "Configure network to automatically accept connections" setting is enabled, which might make it easier for remote attackers to perform further attacks.
How to mitigate CVE-2011-1165
Install update from vendor's website.
Sources
- http://git.gnome.org/browse/vino/commit/?id=410bbf8e284409bdef02322af4d4a3a388419566
- http://rhn.redhat.com/errata/RHSA-2013-0169.html
- http://www.dslreports.com/forum/r25446313-Ubuntu-computer-hijacked-by-hacker~start=40
- https://bugzilla.gnome.org/show_bug.cgi?id=594521
- https://bugzilla.redhat.com/show_bug.cgi?id=678846