CVE-2020-25652 — Allocation of Resources Without Limits or Throttling in Spice-vdagent
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 56.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 26
Latest updateMay 24
Description
A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and prior.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages8 packages
Also affects: Debian Linux 9.0, Fedora 32, 33
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-6rmh-mmff-jmfj: A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket↗2022-05-24
OSV▶
CVE-2020-25652: A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket↗2020-11-26
📋Vendor Advisories
4Microsoft▶
A flaw was found in the spice-vdagentd daemon where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any un↗2020-11-10
Debian▶
CVE-2020-25652: spice-vdagent - A flaw was found in the spice-vdagentd daemon, where it did not properly handle ...↗2020