PT-2019-15243 · Thinvnc · Thinvnc

Published

2019-10-16

Updated

2020-08-24

CVE-2019-17662

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ThinVNC version 1.0b1

Description The issue allows for arbitrary file read, which can compromise the VNC server, even when authentication is enabled. The password for authentication is stored in cleartext in a file, and this file can be accessed through a directory traversal attack using the ../../ThinVnc.ini path.

Recommendations For ThinVNC version 1.0b1, as a temporary workaround, consider restricting access to the ThinVnc.ini file to minimize the risk of exploitation. Avoid using the cleartext password storage mechanism until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Insufficiently Protected Credentials

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-22

Related Identifiers

CVE-2019-17662

Affected Products

Thinvnc

PT-2019-15243 · Thinvnc · Thinvnc

CVE-2019-17662

Weakness Enumeration

Related Identifiers

Affected Products

References · 9