CVE-2011-2187 — Missing Authentication for Critical Function in Project Xscreensaver

CWE-306 — Missing Authentication for Critical Function6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 72.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xscreensaver Xscreensaver Project Xscreensaver Debian Xscreensaver +1 more

Timeline

PublishedNov 27

Latest updateApr 22

Description

xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/xscreensaver< xscreensaver 5.14-1 (bookworm)

▶NVDxscreensaver_project/xscreensaver< 5.14

▶Debianxscreensaver/xscreensaver< 5.14-1+3

▶CVEListV5xscreensaver/xscreensaverbefore 5.14

Also affects: Debian Linux 10.0, 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-p786-96f8-68ff: xscreensaver before 5↗2022-04-22

▶

OSV

CVE-2011-2187: xscreensaver before 5↗2019-11-27

▶

📋Vendor Advisories

Red Hat

xscreensaver: exits when activated (DPMSForceLevel)↗2011-05-10

▶

Debian

CVE-2011-2187: xscreensaver - xscreensaver before 5.14 crashes during activation and leaves the screen unlocke...↗2011

▶

💬Community

Bugzilla

CVE-2011-2187 xscreensaver: exits when activated (DPMSForceLevel)↗2011-05-10

▶