CVE-2019-15680
published 2019-10-29CVE-2019-15680: TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.78%
84.6th percentile
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libvncserver | < tightvnc 1:1.3.9-9.1 (bookworm) | tightvnc 1:1.3.9-9.1 (bookworm) |
| debian | tightvnc | < tightvnc 1:1.3.9-9.1 (bookworm) | tightvnc 1:1.3.9-9.1 (bookworm) |
| kaspersky | tightvnc | — | — |
| libvncserver_project | libvncserver | >= 0 < 0.9.10+dfsg-3ubuntu0.16.04.4 | 0.9.10+dfsg-3ubuntu0.16.04.4 |
| libvncserver_project | libvncserver | >= 0 < 0.9.11+dfsg-1ubuntu1.2 | 0.9.11+dfsg-1ubuntu1.2 |
| libvncserver_project | libvncserver | >= 0 < 0.9.12+dfsg-9ubuntu0.1 | 0.9.12+dfsg-9ubuntu0.1 |
| tightvnc | tightvnc | — | — |
| tightvnc | tightvnc | >= 0 < 1:1.3.9-9.1 | 1:1.3.9-9.1 |
| tightvnc | tightvnc | >= 0 < 1:1.3.9-9.1 | 1:1.3.9-9.1 |
| tightvnc | tightvnc | >= 0 < 1:1.3.9-9.1 | 1:1.3.9-9.1 |
| tightvnc | tightvnc | >= 0 < 1:1.3.9-9.1 | 1:1.3.9-9.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens Products using TightVNC (Update A)
cisa_ics·2020-12-08
Siemens Products using TightVNC (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens Products using TightVNC (Update A)
Last RevisedMay 11, 2021
Alert CodeICSA-20-343-08
## 1. EXECUTIVE SUMMARY
--------- Begin Update A Part 1 of 5 ---------
This advisory was previously released with a set of Siemens products considered to be affected. Following further investigation by the Siemens’ team, it was determined all products previously advised are not affected by any vulnerability listed in this advisory or Siemens Security Advisory SSA-478893
- Vendor: Siemens
- Equipment: SIMATIC ITC Industrial Thin Clients, SIMATIC WinCC Runtime Advanced/Professional, SIM
Ubuntu
LibVNCServer vulnerabilities
vendor_ubuntu·2020-07-01·CVSS 9.8
CVE-2017-18922 [CRITICAL] LibVNCServer vulnerabilities
Title: LibVNCServer vulnerabilities
Summary: Several security issues were fixed in LibVNCServer.
It was discovered that LibVNCServer incorrectly handled decompressing data. An
attacker could possibly use this issue to cause LibVNCServer to crash,
resulting in a denial of service. (CVE-2019-15680)
It was discovered that an information disclosure vulnerability existed in
LibVNCServer when sending a ServerCutText message. An attacker could possibly
use this issue to expose sensitive information. This issue only affected
Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)
It was discovered that LibVNCServer incorrectly handled cursor shape updates.
If a user were tricked in to connecting to a malicious server, an attacker
could possibly use this issue to cause LibVNCServ
Debian
CVE-2019-15680: libvncserver - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP ...
vendor_debian·2019·CVSS 7.5
CVE-2019-15680 [HIGH] CVE-2019-15680: libvncserver - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP ...
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-7734-vjrv-hjxq: TightVNC code version 1
ghsa_unreviewed·2022-05-24
CVE-2019-15680 [MEDIUM] CWE-476 GHSA-7734-vjrv-hjxq: TightVNC code version 1
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
OSV
libvncserver vulnerabilities
osv·2020-07-01·CVSS 9.8
CVE-2019-15680 [CRITICAL] libvncserver vulnerabilities
libvncserver vulnerabilities
It was discovered that LibVNCServer incorrectly handled decompressing data. An
attacker could possibly use this issue to cause LibVNCServer to crash,
resulting in a denial of service. (CVE-2019-15680)
It was discovered that an information disclosure vulnerability existed in
LibVNCServer when sending a ServerCutText message. An attacker could possibly
use this issue to expose sensitive information. This issue only affected
Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)
It was discovered that LibVNCServer incorrectly handled cursor shape updates.
If a user were tricked in to connecting to a malicious server, an attacker
could possibly use this issue to cause LibVNCServer to crash, resulting in a
denial of service, or possibly execute ar
OSV
CVE-2019-15680: TightVNC code version 1
osv·2019-10-29·CVSS 7.5
CVE-2019-15680 [HIGH] CVE-2019-15680: TightVNC code version 1
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdfhttps://lists.debian.org/debian-lts-announce/2019/12/msg00028.htmlhttps://us-cert.cisa.gov/ics/advisories/icsa-20-343-08https://usn.ubuntu.com/4407-1/https://www.openwall.com/lists/oss-security/2018/12/10/5https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdfhttps://lists.debian.org/debian-lts-announce/2019/12/msg00028.htmlhttps://us-cert.cisa.gov/ics/advisories/icsa-20-343-08https://usn.ubuntu.com/4407-1/https://www.openwall.com/lists/oss-security/2018/12/10/5
2019-10-29
Published