#VU31250 Input validation error in SPICE - CVE-2016-9578
Published: July 27, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31250
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-9578
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SPICE
SPICE
Software vendor:
SPICE
SPICE
Description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash.
Remediation
Install update from vendor's website.
External links
- http://rhn.redhat.com/errata/RHSA-2017-0253.html
- http://rhn.redhat.com/errata/RHSA-2017-0549.html
- http://www.securityfocus.com/bid/96118
- https://access.redhat.com/errata/RHSA-2017:0254
- https://access.redhat.com/errata/RHSA-2017:0552
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9578
- https://www.debian.org/security/2017/dsa-3790