CVE-2020-25652

CVSS v3.1

6.4

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

Name of the Vulnerable Software and Affected Versions spice-vdagent versions 0.20 and prior

Description A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in /run/spice-vdagentd/spice-vdagent-sock. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Recommendations For spice-vdagent versions 0.20 and prior, update to a version later than 0.20 to resolve the issue. As a temporary workaround, consider restricting access to the UNIX domain socket in /run/spice-vdagentd/spice-vdagent-sock to prevent unprivileged local guest users from exploiting the flaw.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2021:1791

ALT-PU-2021-1106

ALT-PU-2021-1155

ALT-PU-2023-1838

AZL-7364

CESA-2021_1791

CVE-2020-25652

DLA-2524-1

MGASA-2020-0474

OESA-2021-1081

OPENSUSE-SU-2021:2614-1

OPENSUSE-SU-2021_2614-1

RHSA-2021:1791

RHSA-2021_1791

RLSA-2021:1791

SUSE-SU-2020:3268-1

SUSE-SU-2021:2614-1

SUSE-SU-2021:2766-1

SUSE-SU-2021:2803-1

USN-4617-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

Spice-Vdagent

CVE-2020-25652

Weakness Enumeration

Related Identifiers

Affected Products

References · 61