CVE-2019-15691 — HIGH (7.2)

Q: How severe is CVE-2019-15691?

CVE-2019-15691 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-15691?

Check the references section above for vendor advisories and patch information. Affected products include: Tigervnc Tigervnc, Opensuse Leap.

Vulnerability Description

TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Tigervnc	Tigervnc	< 1.10.1
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-825 CWE-672

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00039.htmlThird Party Advisory
https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233PatchThird Party Advisory
https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1Release NotesThird Party Advisory
https://www.openwall.com/lists/oss-security/2019/12/20/2ExploitMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00039.htmlThird Party Advisory
https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233PatchThird Party Advisory
https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1Release NotesThird Party Advisory
https://www.openwall.com/lists/oss-security/2019/12/20/2ExploitMailing ListThird Party Advisory

FAQ

What is CVE-2019-15691?

CVE-2019-15691 is a vulnerability with a CVSS score of 7.2 (HIGH). TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder ...

How severe is CVE-2019-15691?

CVE-2019-15691 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-15691?

Check the references section above for vendor advisories and patch information. Affected products include: Tigervnc Tigervnc, Opensuse Leap.