Published: 06/05/2009 Updated: 17/08/2017

CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9

VMScore: 409

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly other operating systems place the magic cookie (MCOOKIE) on the command line, which allows local users to gain privileges by listing the process and its arguments.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat fedora 10
debian debian_linux
ubuntu linux
branden_robinson xvfb-run 1.6.1

Debian Bug report logs - #526678 Passes magic cookie insecurity Package: xvfb; Maintainer for xvfb is Debian X Strike Force <debian-x@listsdebianorg>; Source for xvfb is src:xorg-server (PTS, buildd, popcon) Reported by: Loïc Minier <lool@doozorg> Date: Sat, 2 May 2009 16:21:01 UTC Severity: normal Tags: securi ...

A remote attacker could trigger a crash in Xorg In addition, the xvfb-run tool left the session cookie visible when launching Xorg ...

CWE-264 http://www.openwall.com/lists/oss-security/2009/05/05/4 http://www.openwall.com/lists/oss-security/2009/05/05/2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678 http://www.securityfocus.com/bid/34828 http://secunia.com/advisories/39834 http://www.ubuntu.com/usn/USN-939-1 http://www.vupen.com/english/advisories/2010/1185 https://exchange.xforce.ibmcloud.com/vulnerabilities/50348 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678 https://usn.ubuntu.com/939-1/https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2009-1573

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect