Operation on a Resource after Expiration or Release Affecting tigervnc-license package, versions <0:1.8.0-21.amzn2


Severity

Recommended
low

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.84% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-TIGERVNCLICENSE-1688444
  • published27 Sept 2021
  • disclosed26 Dec 2019

Introduced: 26 Dec 2019

CVE-2019-15691  (opens in a new tab)
CWE-672  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 tigervnc-license to version 0:1.8.0-21.amzn2 or higher.
This issue was patched in ALAS2-2020-1552.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tigervnc-license package and not the tigervnc-license package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

CVSS Scores

version 3.1