CVE-2020-25651
MEDIUMspice-vdagent < 0.20.0 - Race Condition in File Transfer Protocol
Title source: llmDescription
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.
References (5)
Core 5
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/11/04/1
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1886359
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIWJ2EIQXWEA2VDBODEATHAT37X4CREP/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GQT56LATVTB2DJOVVJOKQVMVUXYCT2VB/
Scores
CVSS v3
6.4
EPSS
0.0029
EPSS Percentile
20.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
Details
CWE
CWE-362
Status
published
Products (4)
debian/debian_linux
9.0
fedoraproject/fedora
32
fedoraproject/fedora
33
spice-space/spice-vdagent
< 0.20.0
Published
Nov 26, 2020
Tracked Since
Feb 18, 2026