CVE-2015-3164 — Improper Authentication in X Server

CWE-264 CWE-287 — Improper Authentication8 documents7 sources

Severity

3.6LOWNVD

EPSS

0.1%

top 79.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

X.org Xorg-server Opensuse X.org X Server

Timeline

PublishedJul 1

Latest updateMay 14

Description

The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket.

CVSS vector

AV:L/AC:L/C:P/I:P/A:NExploitability: 3.9 | Impact: 4.9

Affected Packages4 packages

▶Debianx.org/xorg-server< 2:1.17.2-1+3

▶NVDx.org/x_server7 versions+6

▶NVDx.org/xorg-server4 versions+3

▶NVDopensuse/opensuse13.2

🔴Vulnerability Details

GHSA

GHSA-fww3-c3xq-2xqg: The authentication setup in XWayland 1↗2022-05-14

▶

CVEList

CVE-2015-3164: The authentication setup in XWayland 1↗2015-07-01

▶

OSV

CVE-2015-3164: The authentication setup in XWayland 1↗2015-07-01

▶

📋Vendor Advisories

Red Hat

xorg-x11-server: Xwayland allows unconditional open access to display↗2015-06-10

▶

Debian

CVE-2015-3164: xorg-server - The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the ...↗2015

▶

💬Community

Bugzilla

CVE-2015-3164 xorg-x11-server: Xwayland allows unconditional open access to display [fedora-all]↗2015-06-16

▶

Bugzilla

CVE-2015-3164 xorg-x11-server: Xwayland allows unconditional open access to display↗2015-05-07

▶