CVE-2019-3813
First published: Fri Jan 11 2019(Updated: )
An off-by-one error was found in spice when accessing arrays. A malicious guest user can use this for a host denial of service.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/spice | <=0.14.0-1.2<=0.12.8-2.1<=0.12.8-2.1+deb9u2 | 0.12.8-2.1+deb9u3 0.14.0-1.3 |
| Spice Project Spice | >=0.5.2<=0.14.1 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Eus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| redhat/spice | <0.14.2 | 0.14.2 |
| debian/spice | 0.14.3-2.1 0.15.1-1 0.15.2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2019-3813
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813
- https://www.openwall.com/lists/oss-security/2019/01/28/2
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920762
- http://www.securityfocus.com/bid/106801
- https://access.redhat.com/errata/RHSA-2019:0231
- https://access.redhat.com/errata/RHSA-2019:0232
- https://access.redhat.com/errata/RHSA-2019:0457
- https://bugzilla.redhat.com/show_bug.cgi?id=1665371
- https://lists.debian.org/debian-lts-announce/2019/01/msg00026.html
- https://security.gentoo.org/glsa/202007-30
- https://usn.ubuntu.com/3870-1/
- https://www.debian.org/security/2019/dsa-4375
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1665371#c6
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1670158
- https://gitlab.freedesktop.org/spice/spice/commit/a4a16ac42d2f19a17e36556546aa94d5cd83745f
- https://launchpad.net/bugs/cve/CVE-2019-3813
- https://nvd.nist.gov/vuln/detail/CVE-2019-3813
- https://ubuntu.com/security/CVE-2019-3813
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-3813.
What is the severity of CVE-2019-3813?
The severity of CVE-2019-3813 is high (7.5).
What is the affected software?
The affected software is Spice versions 0.5.2 through 0.14.1.
How can CVE-2019-3813 be exploited?
CVE-2019-3813 can be exploited by unauthenticated attackers to perform a denial of service attack or potentially execute arbitrary code.
How can I mitigate the vulnerability in Spice versions 0.5.2 through 0.14.1?
To mitigate the vulnerability in Spice versions 0.5.2 through 0.14.1, it is recommended to apply the available patches or updates provided by the vendor.
- collector/debian-bugs
- alias/CVE-2019-3813
- collector/nvd-index
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/first-publish-date
- agent/references
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/author
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- vendor/spice project
- canonical/spice project spice
- version/spice project spice/0.5.2
- version/spice project spice/0.14.1
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- package-manager/redhat