Vulnerability Details : CVE-2017-12177
xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
Vulnerability category: OverflowExecute code
Exploit prediction scoring system (EPSS) score for CVE-2017-12177
Probability of exploitation activity in the next 30 days: 1.15%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-12177
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-12177
-
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Assigned by: nvd@nist.gov (Primary)
-
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-12177
-
https://bugzilla.redhat.com/show_bug.cgi?id=1509218
1509218 – (CVE-2017-12177) CVE-2017-12177 xorg-x11-server: Unvalidated variable-length request in ProcDbeGetVisualInfoIssue Tracking;Patch;Third Party Advisory;VDB Entry
-
https://cgit.freedesktop.org/xorg/xserver/commit/?id=4ca68b878e851e2136c234f40a25008297d8d831
xorg/xserver - X server (mirrored from https://gitlab.freedesktop.org/xorg/xserver)Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html
[SECURITY] [DLA 1186-1] xorg-server security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2017/dsa-4000
Debian -- Security Information -- DSA-4000-1 xorg-serverThird Party Advisory
-
https://security.gentoo.org/glsa/201711-05
X.Org Server: Multiple vulnerabilities (GLSA 201711-05) — Gentoo securityThird Party Advisory;VDB Entry
Products affected by CVE-2017-12177
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*