CVE-2006-5215
published 2006-10-10CVE-2006-5215: The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows…
PriorityP48low2.6CVSS 2.0
AVLACHAuNCPIPAN
EPSS
0.30%
21.8th percentile
The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xdm | < xdm 1:1.0.5-1 (bookworm) | xdm 1:1.0.5-1 (bookworm) |
| netbsd | netbsd | <= current | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
CVSS provenance
nvdv2.02.6LOWAV:L/AC:H/Au:N/C:P/I:P/A:N
osv2.6LOW
vendor_debian2.6LOW
vendor_redhat2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NetBSD up to Current Xsession tmp/xses-$user symlink (Nessus ID 23994 / XFDB-29427)
vuldb·2026-04-24·CVSS 2.6
CVE-2006-5215 [LOW] NetBSD up to Current Xsession tmp/xses-$user symlink (Nessus ID 23994 / XFDB-29427)
A vulnerability was found in NetBSD. It has been classified as problematic. This affects an unknown function of the component Xsession. Performing a manipulation of the argument tmp/xses-$user results in symlink following.
This vulnerability is reported as CVE-2006-5215. The attack requires a local approach. No exploit exists.
GHSA
GHSA-m3qf-v679-cpx6: The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X
ghsa_unreviewed·2022-05-01
CVE-2006-5215 [LOW] GHSA-m3qf-v679-cpx6: The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X
The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
OSV
CVE-2006-5215: The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X
osv·2006-10-10·CVSS 2.6
CVE-2006-5215 [LOW] CVE-2006-5215: The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X
The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
Red Hat
xdm symlink attack
vendor_redhat·2006-02-16·CVSS 2.6
CVE-2006-5215 [LOW] xdm symlink attack
xdm symlink attack
The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-5215: xdm - The Xsession script, as used by X Display Manager (xdm) in NetBSD before 2006021...
vendor_debian·2006·CVSS 2.6
CVE-2006-5215 [LOW] CVE-2006-5215: xdm - The Xsession script, as used by X Display Manager (xdm) in NetBSD before 2006021...
The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
Scope: local
bookworm: resolved (fixed in 1:1.0.5-1)
bullseye: resolved (fixed in 1:1.0.5-1)
forky: resolved (fixed in 1:1.0.5-1)
sid: resolved (fixed in 1:1.0.5-1)
trixie: resolved (fixed in 1:1.0.5-1)
No detection rules found.
Bugzilla
CVE-2006-5215 xdm symlink attack
bugzilla·2007-02-25·CVSS 2.6
CVE-2006-5215 [LOW] CVE-2006-5215 xdm symlink attack
CVE-2006-5215 xdm symlink attack
The Xsession script, as used by X Display Manager (xdm) in NetBSD before
20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006,
allows local users to overwrite arbitrary files, or read another user's Xsession
errors file, via a symlink attack on a /tmp/xses-$USER file.
Discussion:
In xinitrc's Xsession (RHEL4) this doesn't seem to be a problem as we use mktemp. and this is only if ~/.xsession-errors cannot be written for some reason:
11 # redirect errors to a file in user's home directory if we can
12 if [ -z "$GDMSESSION" ]; then
13 # GDM redirect output itself in a smarter fashion
14 errfile="$HOME/.xsession-errors"
15 if cp /dev/null "$errfile" 2> /dev/null ; then
16 chmod 600 "$errfile"
17 exec > "$errfile" 2>&1
18 else
19 errfil
Bugzilla
CVE-2006-5214 Xsession problems (CVE-2006-5215)
bugzilla·2006-10-25·CVSS 1.2
CVE-2006-5214 [LOW] CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
+++ This bug was initially created as a clone of Bug #212167 +++
Two issues in XFree86/xorg Xsession were reported and fixed upstream. Both
relate to the handling of the xsession file.
CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.
CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim. However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over). The upstream Xses
Bugzilla
CVE-2006-5214 Xsession problems (CVE-2006-5215)
bugzilla·2006-10-25·CVSS 1.2
CVE-2006-5214 [LOW] CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
+++ This bug was initially created as a clone of Bug #210312 +++
Two issues in XFree86/xorg Xsession were reported and fixed upstream. Both
relate to the handling of the xsession file.
CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.
CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim. However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over). The upstream Xses
Bugzilla
CVE-2006-5214 Xsession problems (CVE-2006-5215)
bugzilla·2006-10-25·CVSS 1.2
CVE-2006-5214 [LOW] CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
+++ This bug was initially created as a clone of Bug #212166 +++
Two issues in XFree86/xorg Xsession were reported and fixed upstream. Both
relate to the handling of the xsession file.
CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.
CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim. However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over). The upstream Xses
Bugzilla
CVE-2006-5214 Xsession problems (CVE-2006-5215)
bugzilla·2006-10-11·CVSS 1.2
CVE-2006-5214 [LOW] CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
Two issues in XFree86/xorg Xsession were reported and fixed upstream. Both
relate to the handling of the xsession file.
CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.
CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim. However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over). The upstream Xsession code was different (and worse) than
our xinitrc code, but we
Bugzilla
CVE-2006-5214 Xsession problems (CVE-2006-5215)
bugzilla·2006-10-11·CVSS 1.2
CVE-2006-5214 [LOW] CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
Two issues in XFree86/xorg Xsession were reported and fixed upstream. Both
relate to the handling of the xsession file.
CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.
CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim. However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over). The upstream Xsession code was different (and worse) than
our xinitrc code, but we
http://secunia.com/advisories/22992http://securitytracker.com/id?1017015http://sunsolve.sun.com/search/document.do?assetkey=1-26-102652-1http://support.avaya.com/elmodocs2/security/ASA-2006-250.htmhttp://www.netbsd.org/cgi-bin/query-pr-single.pl?number=32805https://bugs.freedesktop.org/show_bug.cgi?id=5898https://exchange.xforce.ibmcloud.com/vulnerabilities/29427https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2205http://secunia.com/advisories/22992http://securitytracker.com/id?1017015http://sunsolve.sun.com/search/document.do?assetkey=1-26-102652-1http://support.avaya.com/elmodocs2/security/ASA-2006-250.htmhttp://www.netbsd.org/cgi-bin/query-pr-single.pl?number=32805https://bugs.freedesktop.org/show_bug.cgi?id=5898https://exchange.xforce.ibmcloud.com/vulnerabilities/29427https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2205
2006-10-10
Published