CVE-2017-2624

Exploit

EPSS 0.11%
Published 27.07.2018 18:29:00
Last modified 29.08.2025 13:42:30
Source secalert@redhat.com
Teams watchlist Login
Open Login

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Affected products Warnungen 0 Metrics 4 CWE 2 References 11

Data is provided by the National Vulnerability Database (NVD)

X.Org ≫ X Server Version <= 1.19.4

Debian ≫ Debian Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.3

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7	1	5.9	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	1.9	3.4	2.9	AV:L/AC:M/Au:N/C:P/I:N/A:N
secalert@redhat.com	5.9	1.4	4	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-385 Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

https://security.gentoo.org/glsa/201710-30

Third Party Advisory

https://security.gentoo.org/glsa/201704-03

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html

Third Party Advisory

http://www.securityfocus.com/bid/96480

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1037919

Third Party Advisory

VDB Entry