CVE-2019-8259

HIGH

Uvnc Ultravnc < 1.2.2.3 - Memory Leak

Title source: rule

Description

UltraVNC revision 1198 contains multiple memory leaks (CWE-655) in VNC client code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1199.

References (6)

[Vendor Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf

[Vendor Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf

[Third Party Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf

[Third Party Advisory] https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-005-ultravnc-memory-leak/

[Third Party Advisory, US Government Resource] https://www.us-cert.gov/ics/advisories/icsa-20-161-06

[Third Party Advisory, US Government Resource] https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11

Scores

CVSS v3 7.5

EPSS 0.0082

EPSS Percentile 74.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-665 CWE-401

Status published

Affected Products (4)

uvnc/ultravnc < 1.2.2.3

siemens/sinumerik_access_mymachine\/p2p < 4.8

siemens/sinumerik_pcu_base_win10_software\/ipc < 14.00

siemens/sinumerik_pcu_base_win7_software\/ipc < 12.01

Timeline

Published Mar 05, 2019

Tracked Since Feb 18, 2026