CVE-2017-7506

HIGH

spice <= 0.13 - Authenticated Denial of Service via Memory Access

Title source: llm
STIX 2.1

Description

spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak.

References (6)

Core 6
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3522
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/07/14/1
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2471
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3907
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99583
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1452606

Scores

CVSS v3 8.8
EPSS 0.0420
EPSS Percentile 89.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (31)
spice_project/spice 0.5.2
spice_project/spice 0.5.3
spice_project/spice 0.6.0
spice_project/spice 0.6.1
spice_project/spice 0.6.2
spice_project/spice 0.6.3
spice_project/spice 0.6.4
spice_project/spice 0.7.0
spice_project/spice 0.7.1
spice_project/spice 0.7.2
... and 21 more
Published Jul 18, 2017
Tracked Since Feb 18, 2026