Vulnerability in X.org Xorg-server

CVE-2015-3164

The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket.

EPSS: 0.001 (20.5th percentile) — read the EPSS interpretation.

Affected products

X.org Xorg-server — versions 1.16.4, 1.16.99.901, 1.16.99.902
X.org X_server — versions 1.16.0, 1.16.1, 1.16.1.901
Opensuse — versions 13.2
N/a — versions n/a

Weakness classification (CWE)

CWE-264

References

[wayland-devel] 20150610 X.Org/Wayland Security Advisory: Missing authentication in XWayland (Vendor Advisory, mailing-list, x_refsource_MLIST)
75535 (vdb-entry, x_refsource_BID)
GLSA-201701-64 (vendor-advisory, x_refsource_GENTOO)
openSUSE-SU-2015:1095 (vendor-advisory, x_refsource_SUSE)