Vulnerability CVE-2023-6683: Information

Description

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-6683
Published: Jan. 12, 2024
Modified: April 30, 2024
Error type identifier: CWE-476

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
qemusisyphus8.2.1-alt18.2.3-alt1ALT-PU-2024-3359-1341883Fixed
qemusisyphus_loongarch648.2.1-alt28.2.3-alt1ALT-PU-2024-3591-1-Fixed
qemup108.2.2-alt0.p108.2.2-alt0.p10.1ALT-PU-2024-6235-3344683Fixed
qemuc10f18.2.2-alt0.p10.18.2.2-alt0.p10.1ALT-PU-2024-7201-3345913Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/security/cve/CVE-2023-6683
  • Third Party Advisory
RHBZ#2254825
  • Issue Tracking
  • Patch
https://security.netapp.com/advisory/ntap-20240223-0001/
  • Third Party Advisory
RHSA-2024:2135

      1. Configuration 1

        cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
        Start including
        6.1.0
        End excliding
        9.0.0

        Configuration 2

        cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
        cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.1
    Back to top