📦

spice-gtk

Vendor: freedesktop

Actively Exploited 0 CISA KEV List

PoC / Exploits 1 Code Available

Total RCEs 1 Remote Access

Total CVEs 2 Total Indexed

Avg. EPSS 0.59% Exploit Prob.

Latest CVE CVE-2017-12194 Mar 14

Security Vulnerability Index

Page 1 / 1

9.8 CVSS

CVE-2017-12194

RCE

A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable.

EPSS: 1.48%

Severity: CRITICAL

Mar 14, 2018

6.5 CVSS

CVE-2016-3066

The spice-gtk widget allows remote authenticated users to obtain information from the host clipboard.

EPSS: 0.28%

Severity: MEDIUM

Jun 06, 2017

4.6 CVSS

CVE-2013-4324

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

EPSS: 0.07%

Severity: MEDIUM

Oct 03, 2013

6.9 CVSS

CVE-2012-4425

Exploit Found

libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.

EPSS: 0.55%

Severity: MEDIUM

Sep 18, 2012

Displaying 4 of 2 Total Entries

Total 1 Sections