CVE-2019-15690
published 2025-01-24CVE-2019-15690: LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An…
PriorityP349high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.73%
49.8th percentile
LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An attacker sends cursor shapes with specially crafted dimensions, which can result in remote code execution.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libvncserver | < libvncserver 0.9.12+dfsg-9 (bookworm) | libvncserver 0.9.12+dfsg-9 (bookworm) |
| libvnc_project | libvncserver | <= 0.9.12 | — |
| libvncserver_project | libvncserver | >= 0 < 0.9.12+dfsg-9 | 0.9.12+dfsg-9 |
| libvncserver_project | libvncserver | >= 0 < 0.9.12+dfsg-9 | 0.9.12+dfsg-9 |
| libvncserver_project | libvncserver | >= 0 < 0.9.12+dfsg-9 | 0.9.12+dfsg-9 |
| libvncserver_project | libvncserver | >= 0 < 0.9.12+dfsg-9 | 0.9.12+dfsg-9 |
| libvncserver_project | libvncserver | >= 0 < 0.9.10+dfsg-3ubuntu0.16.04.4 | 0.9.10+dfsg-3ubuntu0.16.04.4 |
| libvncserver_project | libvncserver | >= 0 < 0.9.11+dfsg-1ubuntu1.2 | 0.9.11+dfsg-1ubuntu1.2 |
| libvncserver_project | libvncserver | >= 0 < 0.9.12+dfsg-9ubuntu0.1 | 0.9.12+dfsg-9ubuntu0.1 |
| siemens | simatic_itc1500_firmware | >= 3.0.0.0 < 3.2.1.0 | 3.2.1.0 |
| siemens | simatic_itc1500_pro_firmware | >= 3.0.0.0 < 3.2.1.0 | 3.2.1.0 |
| siemens | simatic_itc1900_firmware | >= 3.0.0.0 < 3.2.1.0 | 3.2.1.0 |
| siemens | simatic_itc1900_pro_firmware | >= 3.0.0.0 < 3.2.1.0 | 3.2.1.0 |
| siemens | simatic_itc2200_firmware | >= 3.0.0.0 < 3.2.1.0 | 3.2.1.0 |
| siemens | simatic_itc2200_pro_firmware | >= 3.0.0.0 < 3.2.1.0 | 3.2.1.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIMATIC ITC
cisa_ics·2021-12-16·CVSS 9.8
[CRITICAL] Siemens SIMATIC ITC
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SIMATIC ITC
Last RevisedDecember 16, 2021
Alert CodeICSA-21-350-12
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC ITC Products
- Vulnerabilities: Using Components with Known Vulnerabilities
## 2. RISK EVALUATION
Successful exploitation of these LibVNC vulnerabilities could allow remote code execution, information disclosure, and denial-of-service attacks.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Siemens reports these vulnerabilities affect the following SIMATIC Industri
Ubuntu
LibVNCServer vulnerabilities
vendor_ubuntu·2020-07-01·CVSS 9.8
CVE-2017-18922 [CRITICAL] LibVNCServer vulnerabilities
Title: LibVNCServer vulnerabilities
Summary: Several security issues were fixed in LibVNCServer.
It was discovered that LibVNCServer incorrectly handled decompressing data. An
attacker could possibly use this issue to cause LibVNCServer to crash,
resulting in a denial of service. (CVE-2019-15680)
It was discovered that an information disclosure vulnerability existed in
LibVNCServer when sending a ServerCutText message. An attacker could possibly
use this issue to expose sensitive information. This issue only affected
Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)
It was discovered that LibVNCServer incorrectly handled cursor shape updates.
If a user were tricked in to connecting to a malicious server, an attacker
could possibly use this issue to cause LibVNCServ
Red Hat
libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
vendor_redhat·2019-12-20·CVSS 8.8
CVE-2019-15690 [HIGH] CWE-190 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An attacker sends cursor shapes with specially crafted dimensions, which can result in remote code execution.
A flaw was found in libvncserver. An integer overflow within the HandleCursorShape() function can be exploited to cause a heap-based buffer overflow by tricking a user or application using libvncserver to connect to an unstrusted server and subsequently send cursor shapes with specially crafted dimensions. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Mitigation: Libvncserv
Red Hat
libvncserver: integer overflow and heap-based buffer overflow in libvncclient/cursor.c in HandleCursorShape function
vendor_redhat·2019-11-17·CVSS 8.8
CVE-2019-20788 [HIGH] CWE-122 libvncserver: integer overflow and heap-based buffer overflow in libvncclient/cursor.c in HandleCursorShape function
libvncserver: integer overflow and heap-based buffer overflow in libvncclient/cursor.c in HandleCursorShape function
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
A flaw was found in libvncserver in versions through 0.9.12. A large height or width value may cause an integer overflow or a heap-based buffer overflow. The highest threat from this vulnerability is to system availability.
Statement: This flaw was found to be a duplicate of CVE-2019-15690. Please see https://access.redhat.com/security/cve/CVE-2019-15690 for information about affected products and security errata.
Package: libvncserver (Red Hat Enterprise Linux 6) - Not affec
Debian
CVE-2019-15690: libvncserver - LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerabil...
vendor_debian·2019·CVSS 8.8
CVE-2019-15690 [HIGH] CVE-2019-15690: libvncserver - LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerabil...
LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An attacker sends cursor shapes with specially crafted dimensions, which can result in remote code execution.
Scope: local
bookworm: resolved (fixed in 0.9.12+dfsg-9)
bullseye: resolved (fixed in 0.9.12+dfsg-9)
forky: resolved (fixed in 0.9.12+dfsg-9)
sid: resolved (fixed in 0.9.12+dfsg-9)
trixie: resolved (fixed in 0.9.12+dfsg-9)
Debian
CVE-2019-20788: libvncserver - libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape int...
vendor_debian·2019·CVSS 8.8
CVE-2019-20788 [HIGH] CVE-2019-20788: libvncserver - libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape int...
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
Scope: local
bookworm: resolved (fixed in 0.9.12+dfsg-9)
bullseye: resolved (fixed in 0.9.12+dfsg-9)
forky: resolved (fixed in 0.9.12+dfsg-9)
sid: resolved (fixed in 0.9.12+dfsg-9)
trixie: resolved (fixed in 0.9.12+dfsg-9)
GHSA
GHSA-rx9w-c6jv-2grg: LibVNCServer 0
ghsa_unreviewed·2025-01-24
CVE-2019-15690 [HIGH] CWE-122 GHSA-rx9w-c6jv-2grg: LibVNCServer 0
LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An attacker sends cursor shapes with specially crafted dimensions, which can result in remote code execution.
OSV
CVE-2019-15690: LibVNCServer 0
osv·2025-01-24·CVSS 8.8
CVE-2019-15690 [HIGH] CVE-2019-15690: LibVNCServer 0
LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An attacker sends cursor shapes with specially crafted dimensions, which can result in remote code execution.
GHSA
GHSA-7397-jpw5-q274: libvncclient/cursor
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-20788 [HIGH] CWE-190 GHSA-7397-jpw5-q274: libvncclient/cursor
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
OSV
libvncserver vulnerabilities
osv·2020-07-01·CVSS 9.8
CVE-2019-15680 [CRITICAL] libvncserver vulnerabilities
libvncserver vulnerabilities
It was discovered that LibVNCServer incorrectly handled decompressing data. An
attacker could possibly use this issue to cause LibVNCServer to crash,
resulting in a denial of service. (CVE-2019-15680)
It was discovered that an information disclosure vulnerability existed in
LibVNCServer when sending a ServerCutText message. An attacker could possibly
use this issue to expose sensitive information. This issue only affected
Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)
It was discovered that LibVNCServer incorrectly handled cursor shape updates.
If a user were tricked in to connecting to a malicious server, an attacker
could possibly use this issue to cause LibVNCServer to crash, resulting in a
denial of service, or possibly execute ar
OSV
CVE-2019-20788: libvncclient/cursor
osv·2020-04-23·CVSS 8.8
CVE-2019-20788 [HIGH] CVE-2019-20788: libvncclient/cursor
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-20788 libvncserver: integer overflow and heap-based buffer overflow in libvncclient/cursor.c in HandleCursorShape function
bugzilla·2020-04-30·CVSS 8.8
CVE-2019-20788 [HIGH] CVE-2019-20788 libvncserver: integer overflow and heap-based buffer overflow in libvncclient/cursor.c in HandleCursorShape function
CVE-2019-20788 libvncserver: integer overflow and heap-based buffer overflow in libvncclient/cursor.c in HandleCursorShape function
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
Reference and upstream commit:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
Discussion:
Created libvncserver tracking bugs for this issue:
Affects: epel-7 [bug 1829872]
Affects: fedora-all [bug 1829871]
---
*** This bug has been marked as a duplicate of bug 1811948 ***
---
Statement:
This flaw was found to be a duplicate of CVE-2019-15690. Please see https://access.redhat.com/security/cve/CVE-2019-15690 for inform
Bugzilla
CVE-2019-15690 libvncserver: heap buffer overflow could result in crash or arbitrary code execution [fedora-all]
bugzilla·2020-03-10·CVSS 8.8
CVE-2019-15690 [HIGH] CVE-2019-15690 libvncserver: heap buffer overflow could result in crash or arbitrary code execution [fedora-all]
CVE-2019-15690 libvncserver: heap buffer overflow could result in crash or arbitrary code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2019-15690 libvncserver: heap buffer overflow could result in crash or arbitrary code execution [epel-7]
bugzilla·2020-03-10·CVSS 8.8
CVE-2019-15690 [HIGH] CVE-2019-15690 libvncserver: heap buffer overflow could result in crash or arbitrary code execution [epel-7]
CVE-2019-15690 libvncserver: heap buffer overflow could result in crash or arbitrary code execution [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the foll
Bugzilla
CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
bugzilla·2020-03-10·CVSS 8.8
CVE-2019-15690 [HIGH] CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
An integer overflow within the HandleCursorShape() function in libvncclient/cursor.c can be exploited to cause a heap-based buffer overflow by tricking a user or application using libvncserver to connect to an unstrusted server and subsequently sending cursor shapes with specially crafted dimensions.
Discussion:
Created libvncserver tracking bugs for this issue:
Affects: epel-7 [bug 1811951]
Affects: fedora-all [bug 1811950]
---
Researcher Reference:
https://www.openwall.com/lists/oss-security/2019/12/20/2
---
Patch:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
---
This issue has been addressed in the following products:
Red Hat Ent
2025-01-24
Published