CVE-2020-25651 — MEDIUM (6.4)

Q: How severe is CVE-2020-25651?

CVE-2020-25651 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-25651?

Check the references section above for vendor advisories and patch information. Affected products include: Spice-Space Spice-Vdagent, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.

CVSS Score

6.4

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Spice-Space	Spice-Vdagent	<= 0.20.0
Debian	Debian Linux	9.0
Fedoraproject	Fedora	32

Related Weaknesses (CWE)

CWE-362

References

https://bugzilla.redhat.com/show_bug.cgi?id=1886359Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/01/msg00012.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.openwall.com/lists/oss-security/2020/11/04/1ExploitMailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1886359Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/01/msg00012.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.openwall.com/lists/oss-security/2020/11/04/1ExploitMailing ListThird Party Advisory

FAQ

What is CVE-2020-25651?

CVE-2020-25651 is a vulnerability with a CVSS score of 6.4 (MEDIUM). A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file...

How severe is CVE-2020-25651?

CVE-2020-25651 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-25651?

Check the references section above for vendor advisories and patch information. Affected products include: Spice-Space Spice-Vdagent, Debian Debian Linux, Fedoraproject Fedora.