Vulnerability CVE-2021-20201

Vulnerability Name:

CVE-2021-20201 (CCN-202685)

Assigned:

2020-12-01

Published:

2020-12-01

Updated:

2022-10-21

Summary:

A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

5.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-Other
CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-20201

Source: MISC
Type: Exploit, Third Party Advisory
https://blog.qualys.com/product-tech/2011/10/31/tls-renegotiation-and-denial-of-service-attacks

Source: CCN
Type: Red Hat Bugzilla Bug 1921846
(CVE-2021-20201) - CVE-2021-20201 spice: Client initiated renegotiation denial of service

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1921846

Source: XF
Type: UNKNOWN
spice-cve202120201-dos(202685)

Source: CCN
Type: Spice GIT Repository
spice

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-10

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-20201

Vulnerable Configuration:

Configuration 1:

cpe:/a:spice_project:spice:*:*:*:*:*:*:*:* (Version < 0.14.92)

Configuration 2:

cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:spice_project:spice:0.12.3:*:*:*:*:*:*:*

OR cpe:/a:spice_project:spice:0.12.0:*:*:*:*:*:*:*

OR cpe:/a:spice_project:spice:0.5.2:*:*:*:*:*:*:*

OR cpe:/a:redhat:spice:0.14.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7674	P	libspice-client-glib-2_0-8-0.41-150500.1.4 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7964	P	libsrt1-1.3.4-1.45 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3499	P	giflib-progs-5.0.5-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3526	P	ibus-chewing-1.4.14-4.11 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3082	P	glibc-2.22-100.15.4 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95129	P	libspice-server-devel-0.15.0-150400.2.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95156	P	spice-gtk-devel-0.39-150400.2.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94712	P	libspice-client-glib-2_0-8-0.39-150400.2.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:99479	P	(Important)	2022-01-26
oval:org.opensuse.security:def:97044	P	uuidd-2.33.1-2.14 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:99678	P	(Moderate)	2021-09-18
oval:org.opensuse.security:def:99986	P	(Important)	2021-08-24
oval:org.opensuse.security:def:111434	P	Security update for spice (Important)	2021-06-16
oval:org.opensuse.security:def:92927	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:99089	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:9530	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:92330	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:8783	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:93080	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:70420	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:99280	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:9729	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:92529	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:69670	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:8978	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:93233	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:91944	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:92728	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:69869	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:98894	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:92139	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:97065	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:10280	P	Security update for spice (Important)	2021-06-11
oval:org.opensuse.security:def:118497	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:102735	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:109401	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:42088	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:97053	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:96045	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:69053	P	Security update for spice (Important)	2021-06-10
oval:org.opensuse.security:def:8598	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:5781	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:31636	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:70235	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:23595	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:59490	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:55202	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:86579	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:82586	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:127118	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:33925	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:30088	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:69481	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:57459	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:89145	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:46200	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:84615	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:32115	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:23918	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:59748	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:55911	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:87405	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:83295	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:34459	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:30208	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:57938	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:89403	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:51583	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:85660	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:125551	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:32941	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:26070	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:60282	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:56031	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:88135	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:10095	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:83415	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:5057	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:31196	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:41770	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:58764	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:51906	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:86100	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:9341	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:126721	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:33667	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:29379	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:57019	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:88448	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:84157	P	Security update for spice (Important)	2021-06-08
oval:com.redhat.rhsa:def:20211924	P	RHSA-2021:1924: spice security update (Low)	2021-05-18

BACK