6.5

CVE-2017-2625

Exploit
It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.412
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 2.1 3.9 2.9
AV:L/AC:L/Au:N/C:P/I:N/A:N
secalert@redhat.com 6.5 2 4
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://security.gentoo.org/glsa/201704-03
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1865
Third Party Advisory
http://www.securityfocus.com/bid/96480
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1037919
Third Party Advisory
VDB Entry
https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
Third Party Advisory
Exploit
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2625
Third Party Advisory
Issue Tracking
https://cgit.freedesktop.org/xorg/lib/libXdmcp/commit/?id=0554324ec6bbc2071f5d1f8ad211a1643e29eb1f
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/11/msg00024.html