Spice Space Spice Space

  1. Vendors
  2. Spice Space
Do you want an email whenever new security vulnerabilities are reported in any Spice Space product?

Products by Spice Space Sorted by Most Security Vulnerabilities since 2018

Spice Space Spice Vdagent5 vulnerabilities

Spice Space Spice Server1 vulnerability

Spice Space Usbredir1 vulnerability

By the Year

In 2024 there have been 0 vulnerabilities in Spice Space . Last year Spice Space had 1 security vulnerability published. Right now, Spice Space is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 1 8.60
2022 1 6.40
2021 0 0.00
2020 4 5.93
2019 0 0.00
2018 1 7.80

It may take a day or so for new Spice Space vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Spice Space Security Vulnerabilities

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product

CVE-2020-23793 8.6 - High - August 22, 2023

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

AuthZ

A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c

CVE-2021-3700 6.4 - Medium - February 24, 2022

A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts of buffered write data in the case of a slow or blocked destination.

Dangling pointer

A flaw was found in the SPICE file transfer protocol

CVE-2020-25651 6.4 - Medium - November 26, 2020

A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Information Disclosure

A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections

CVE-2020-25652 5.5 - Medium - November 26, 2020

A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Allocation of Resources Without Limits or Throttling

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections

CVE-2020-25653 6.3 - Medium - November 26, 2020

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Race Condition

A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine

CVE-2020-25650 5.5 - Medium - November 25, 2020

A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions.

Allocation of Resources Without Limits or Throttling

spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell

CVE-2017-15108 7.8 - High - January 20, 2018

spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed.

Shell injection

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.