CVE-2023-3255 - OpenCVE

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux
Fedoraproject	Fedora
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:2135
https://access.redhat.com/errata/RHSA-2024:2962
https://access.redhat.com/security/cve/CVE-2023-3255	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2218486	Issue Tracking Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20231020-0008/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-13T16:12:52.294Z

Updated: 2024-05-29T22:14:09.966Z

Reserved: 2023-06-14T21:08:31.376Z

Link: CVE-2023-3255

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-13T17:15:09.877

Modified: 2024-05-22T17:16:03.847

Link: CVE-2023-3255

JSON object: View

Redhat Information

No data.

CWE

CWE-835

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3255", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-06-14T21:08:31.376Z", "datePublished": "2023-09-13T16:12:52.294Z", "dateUpdated": "2024-05-29T22:14:09.966Z"}, "containers": {"cna": {"title": "Qemu: vnc: infinite loop in inflate_buffer() leads to denial of service", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt-devel:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240314161907.e155f54d", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240314161907.e155f54d", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "affected", "versions": [{"version": "17:8.2.0-11.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm-ma", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:av/qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2135", "name": "RHSA-2024:2135", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2962", "name": "RHSA-2024:2962", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3255", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218486", "name": "RHBZ#2218486", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0008/"}], "datePublic": "2023-07-04T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "Loop with Unreachable Exit Condition ('Infinite Loop')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "timeline": [{"lang": "en", "time": "2023-06-28T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-07-04T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Kevin Denis (Synacktiv) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-29T22:14:09.966Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "445665D6-88FF-45C2-BB87-34AB7A72A7BF", "versionEndIncluding": "8.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el servidor VNC integrado de QEMU al procesar mensajes ClientCutText. Una condici\u00f3n de salida incorrecta puede provocar un bucle infinito al inflar un b\u00fafer zlib controlado por un atacante en la funci\u00f3n `inflate_buffer`. Esto podr\u00eda permitir que un cliente remoto autenticado que pueda enviar un portapapeles al servidor VNC active una denegaci\u00f3n de servicio."}], "id": "CVE-2023-3255", "lastModified": "2024-05-22T17:16:03.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-09-13T17:15:09.877", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2135"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2962"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-3255"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218486"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0008/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-835"}], "source": "secalert@redhat.com", "type": "Secondary"}]}