Fluid Attacks Database

Description

In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	tigervnc	>=0 <1.10.1+dfsg-9	1.10.1+dfsg-9
debian 11	tigervnc	>=0 <1.10.1+dfsg-9	1.10.1+dfsg-9
debian 13	tigervnc	>=0 <1.10.1+dfsg-9	1.10.1+dfsg-9
debian 14	tigervnc	>=0 <1.10.1+dfsg-9	1.10.1+dfsg-9
rpm rhel6	tigervnc	-	-
rpm rhel7	tigervnc	-	-
rpm rhel8	tigervnc	<0:1.11.0-6.el8	0:1.11.0-6.el8

Aliases

1. CVE-2020-261172. NVD-2020-261173. OSV-DEBIAN-2020-261174. OSV-2020-261175. SECURITY-TRACKER-CVE-2020-26117

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.