CVE-2017-2625 — Insufficient Entropy in Libxdmcp

CWE-331 — Insufficient Entropy CWE-32011 documents8 sources

Severity

5.5MEDIUMNVD

CNA6.5

EPSS

0.1%

top 77.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

X.org Libxdmcp Xorg Libxdmcp Redhat Enterprise Linux +5 more

Timeline

PublishedJul 27

Latest updateOct 19

Description

It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶NVDx.org/libxdmcp< 1.1.2

▶CVEListV5xorg/libxdmcp1.1.2

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Enterprise Linux 7.0, 7.4, 7.5

🔴Vulnerability Details

GHSA

GHSA-cvmx-9h9q-8hmw: It was discovered that libXdmcp before 1↗2022-05-13

▶

OSV

CVE-2017-2625: It was discovered that libXdmcp before 1↗2018-07-27

▶

CVEList

CVE-2017-2625: It was discovered that libXdmcp before 1↗2018-07-27

▶

📋Vendor Advisories

Ubuntu

libXdmcp vulnerability↗2022-10-19

▶

Red Hat

libXdmcp: weak entropy usage for session keys↗2017-02-28

▶

Debian

CVE-2017-2625: libxdmcp - It was discovered that libXdmcp before 1.1.2 including used weak entropy to gene...↗2017

▶

💬Community

Bugzilla

CVE-2017-18869 nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js↗2018-08-02

▶

Bugzilla

CVE-2017-2625 libXdmcp: weak entropy usage for session keys [fedora-all]↗2017-03-01

▶

Bugzilla

CVE-2017-2625 libXdmcp: weak entropy usage for session keys↗2017-02-20

▶

Bugzilla

CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) [epel-5]↗2011-11-04

▶