Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2019-15681

Improper Initialization

Published: Oct 29, 2019 | Modified: Apr 05, 2022
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
5.3 LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
LOW
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2019-15681
CWEhttps://cwe.mitre.org/data/definitions/665.html

LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a.

Weakness

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Software

Name Vendor Start Version End Version
Libvncserver Libvnc_project * 0.9.12 (excluding)
Italc Ubuntu bionic *
Italc Ubuntu trusty *
Italc Ubuntu upstream *
Italc Ubuntu xenial *
Krfb Ubuntu bionic *
Krfb Ubuntu disco *
Krfb Ubuntu eoan *
Krfb Ubuntu groovy *
Krfb Ubuntu hirsute *
Krfb Ubuntu impish *
Krfb Ubuntu kinetic *
Krfb Ubuntu lunar *
Krfb Ubuntu mantic *
Krfb Ubuntu trusty *
Krfb Ubuntu xenial *
Libvncserver Ubuntu bionic *
Libvncserver Ubuntu disco *
Libvncserver Ubuntu eoan *
Libvncserver Ubuntu trusty *
Libvncserver Ubuntu xenial *
Tightvnc Ubuntu bionic *
Tightvnc Ubuntu disco *
Tightvnc Ubuntu eoan *
Tightvnc Ubuntu groovy *
Tightvnc Ubuntu hirsute *
Tightvnc Ubuntu impish *
Tightvnc Ubuntu kinetic *
Tightvnc Ubuntu lunar *
Tightvnc Ubuntu mantic *
Tightvnc Ubuntu trusty *
Tightvnc Ubuntu trusty/esm *
Tightvnc Ubuntu xenial *
Veyon Ubuntu disco *
Veyon Ubuntu eoan *
Veyon Ubuntu groovy *
Veyon Ubuntu hirsute *
Veyon Ubuntu impish *
Veyon Ubuntu kinetic *
Veyon Ubuntu lunar *
Veyon Ubuntu mantic *
Veyon Ubuntu trusty *
Vino Ubuntu bionic *
Vino Ubuntu devel *
Vino Ubuntu disco *
Vino Ubuntu eoan *
Vino Ubuntu focal *
Vino Ubuntu groovy *
Vino Ubuntu hirsute *
Vino Ubuntu impish *
Vino Ubuntu jammy *
Vino Ubuntu kinetic *
Vino Ubuntu lunar *
Vino Ubuntu mantic *
Vino Ubuntu noble *
Vino Ubuntu oracular *
Vino Ubuntu trusty *
Vino Ubuntu xenial *
X11vnc Ubuntu bionic *
X11vnc Ubuntu disco *
X11vnc Ubuntu eoan *
X11vnc Ubuntu groovy *
X11vnc Ubuntu hirsute *
X11vnc Ubuntu impish *
X11vnc Ubuntu kinetic *
X11vnc Ubuntu lunar *
X11vnc Ubuntu mantic *
X11vnc Ubuntu trusty *
X11vnc Ubuntu trusty/esm *
X11vnc Ubuntu xenial *

Potential Mitigations

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable’s type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use