NVD Vulnerability Detail

CVE-2020-25651

Summary	A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.
Publication Date	Nov. 26, 2020, 11:15 a.m.
Registration Date	Jan. 26, 2021, 11:55 a.m.
Last Update	Nov. 21, 2024, 2:18 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:spice-space:spice-vdagent::::::::			0.20.0

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Related information, measures and tools

No	URL	タグ
1	https://bugzilla.redhat.com/show_bug.cgi?id=1886359	Issue Tracking Patch Third Party Advisory
2	https://bugzilla.redhat.com/show_bug.cgi?id=1886359	Issue Tracking Patch Third Party Advisory
3	https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html	Mailing List Third Party Advisory
4	https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html	Mailing List Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GQT56LATVTB2DJOVVJOKQVMVUXYCT2VB/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GQT56LATVTB2DJOVVJOKQVMVUXYCT2VB/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIWJ2EIQXWEA2VDBODEATHAT37X4CREP/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIWJ2EIQXWEA2VDBODEATHAT37X4CREP/
9	https://www.openwall.com/lists/oss-security/2020/11/04/1	Exploit Mailing List Third Party Advisory
10	https://www.openwall.com/lists/oss-security/2020/11/04/1	Exploit Mailing List Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

spice-vdagent における競合状態に関する脆弱性

Title	spice-vdagent における競合状態に関する脆弱性
Summary	spice-vdagent には、競合状態に関する脆弱性が存在します。
Possible impacts	情報を取得される、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 4, 2020, midnight
Registration Date	July 14, 2021, 4:05 p.m.
Last Update	July 14, 2021, 4:05 p.m.

Affected System

Debian

Debian GNU/Linux

Fedora Project

Fedora

Spice Project

spice-vdagent 0.20 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-25651	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25651
National Vulnerability Database (NVD)
2	CVE-2020-25651	https://nvd.nist.gov/vuln/detail/CVE-2020-25651

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-362	https://jvndb.jvn.jp/ja/cwe/CWE-362.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 2524-1] spice-vdagent security update	https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html
Fedora Update Notification
2	FEDORA-2021-09ce0cdfac	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIWJ2EIQXWEA2VDBODEATHAT37X4CREP/
3	FEDORA-2021-510977db25	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GQT56LATVTB2DJOVVJOKQVMVUXYCT2VB/
Spice
4	Top Page	https://www.spice-space.org/

その他

No	Name	URL
関連文書
1	Bug 1886359 (CVE-2020-25651) - CVE-2020-25651 spice-vdagent: possible file transfer DoS and information leak via active_xfers hash map	https://bugzilla.redhat.com/show_bug.cgi?id=1886359
2	Security Issues in the spice-vdagentd daemon	https://www.openwall.com/lists/oss-security/2020/11/04/1

Change Log

No	Changed Details	Date of change
1	[2021年07月14日] 掲載	July 14, 2021, 4:05 p.m.