CVE-2007-1859 — Improper Authentication in Xscreensaver

CWE-287 — Improper Authentication12 documents7 sources

Severity

4.7MEDIUMNVD

NVD4.6OSV4.6

EPSS

0.1%

top 75.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xscreensaver Debian Gnome-screensaver Debian Xscreensaver +1 more

Timeline

PublishedMay 2

Latest updateMay 1

Description

XScreenSaver 4.10, when using a remote directory service for credentials, does not properly handle the results from the getpwuid function in drivers/lock.c when there is no network connectivity, which causes XScreenSaver to crash and unlock the screen and allows local users to bypass authentication.

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages5 packages

▶debiandebian/xscreensaver< xscreensaver 5.03-1 (bookworm)

▶Debianxscreensaver/xscreensaver< 5.03-1+3

▶NVDxscreensaver/xscreensaver4.10

▶debiandebian/gnome-screensaver< gnome-screensaver 2.22.2-1 (bookworm)

▶NVDgnome/screensaver2.20.0

Patches

Patch: www.redhat.com ↗Patch: www.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-x3jq-r6gp-49qf: gnome-screensaver before 2↗2022-05-01

▶

GHSA

GHSA-fr4x-26r9-jx2p: XScreenSaver 4↗2022-05-01

▶

OSV

CVE-2008-0887: gnome-screensaver before 2↗2008-04-06

▶

OSV

CVE-2007-1859: XScreenSaver 4↗2007-05-02

▶

📋Vendor Advisories

Red Hat

gnome-screensaver using NIS auth will unlock if NIS goes away↗2008-04-02

▶

Debian

CVE-2008-0887: gnome-screensaver - gnome-screensaver before 2.22.1, when a remote authentication server is enabled,...↗2008

▶

Ubuntu

xscreensaver vulnerability↗2007-06-12

▶

Red Hat

xscreensaver authentication bypass↗2007-05-03

▶

Debian

CVE-2007-1859: xscreensaver - XScreenSaver 4.10, when using a remote directory service for credentials, does n...↗2007

▶

💬Community

Bugzilla

CVE-2007-1859 xscreensaver authentication bypass↗2007-04-18

▶