CVE-2020-25653

Publication date 3 November 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.3 · Medium

Score breakdown

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Status

Package Ubuntu Release Status
spice-vdagent 24.10 oracular
Fixed 0.20.0-1ubuntu0.1
24.04 LTS noble
Fixed 0.20.0-1ubuntu0.1
23.10 mantic
Fixed 0.20.0-1ubuntu0.1
23.04 lunar
Fixed 0.20.0-1ubuntu0.1
22.10 kinetic
Fixed 0.20.0-1ubuntu0.1
22.04 LTS jammy
Fixed 0.20.0-1ubuntu0.1
21.10 impish
Fixed 0.20.0-1ubuntu0.1
21.04 hirsute
Fixed 0.20.0-1ubuntu0.1
20.10 groovy
Fixed 0.20.0-1ubuntu0.1
20.04 LTS focal
Fixed 0.19.0-2ubuntu0.2
18.04 LTS bionic
Fixed 0.17.0-1ubuntu2.2
16.04 LTS xenial
Vulnerable
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 6.3 · Medium
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-4617-1
    • SPICE vdagent vulnerabilities
    • 4 November 2020

Other references