CVE-2021-31523 — Improper Privilege Management in Xscreensaver

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 87.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xscreensaver Debian Xscreensaver Xscreensaver Project Xscreensaver

Timeline

PublishedApr 21

Latest updateMay 24

Description

The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/xscreensaver< xscreensaver 5.45+dfsg1-2 (bookworm)

▶Debianxscreensaver/xscreensaver< 5.45+dfsg1-2+3

▶NVDxscreensaver_project/xscreensaver5.42\+dfsg1-1

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-74g6-fv7f-g2hq: The Debian xscreensaver 5↗2022-05-24

▶

OSV

CVE-2021-31523: The Debian xscreensaver 5↗2021-04-21

▶

📋Vendor Advisories

Debian

CVE-2021-31523: xscreensaver - The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw en...↗2021

▶