Vulnerability Details : CVE-2014-8240
Integer overflow in TigerVNC allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to screen size handling, which triggers a heap-based buffer overflow, a similar issue to CVE-2014-6051.
Vulnerability category: OverflowExecute codeDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2014-8240
Probability of exploitation activity in the next 30 days: 1.59%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-8240
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-8240
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8240
-
http://www.securityfocus.com/bid/70391
TigerVNC Screen Size Handling Integer Overflow Vulnerability
-
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Oracle Solaris Third Party Bulletin - October 2015
-
https://bugzilla.redhat.com/show_bug.cgi?id=1151307
1151307 – (CVE-2014-8240) CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://seclists.org/oss-sec/2014/q4/300
oss-sec: Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
-
http://seclists.org/oss-sec/2014/q4/278
oss-sec: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/96947
TigerVNC screen size buffer overflow CVE-2014-8240 Vulnerability Report
-
https://security.gentoo.org/glsa/201612-36
TigerVNC: Integer overflow (GLSA 201612-36) — Gentoo security
Products affected by CVE-2014-8240
- cpe:2.3:a:tigervnc:tigervnc:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:tigervnc:tigervnc:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:tigervnc:tigervnc:0.0.90:*:*:*:*:*:*:*
- cpe:2.3:a:tigervnc:tigervnc:0.0.91:*:*:*:*:*:*:*
- cpe:2.3:a:tigervnc:tigervnc:1.0.0:*:*:*:*:*:*:*