Vulnerability Details : CVE-2008-1142
rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine.
Exploit prediction scoring system (EPSS) score for CVE-2008-1142
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2008-1142
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
3.7
|
LOW | AV:L/AC:H/Au:N/C:P/I:P/A:P |
1.9
|
6.4
|
[email protected] |
CWE ids for CVE-2008-1142
-
Assigned by: [email protected] (Primary)
Vendor statements for CVE-2008-1142
-
Red Hat 2008-04-14Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1142 This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. Due to the minimal security consequences of this issue, we do not intend to fix this in Red Hat Enterprise Linux 2.1. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:161
-
http://article.gmane.org/gmane.comp.security.oss.general/122
- http://www.securityfocus.com/bid/28512
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:221
- http://security.gentoo.org/glsa/glsa-200805-03.xml
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296
Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
- cpe:2.3:a:rxvt:rxvt:*:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt:rxvt:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:*:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:1.00:beta4:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:1.00:beta3:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:1.00:beta2:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:1.00:beta1:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:aterm:aterm:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:*:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.91:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.5a:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.8:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:eterm:eterm:*:*:*:*:*:*:*:*
- cpe:2.3:a:eterm:eterm:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mrxvt:mrxvt:*:*:*:*:*:*:*:*
- cpe:2.3:a:mrxvt:mrxvt:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:multi-aterm:multi-aterm:*:*:*:*:*:*:*:*
- cpe:2.3:a:multi-aterm:multi-aterm:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:multi-aterm:multi-aterm:0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:multi-aterm:multi-aterm:0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:multi-aterm:multi-aterm:0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:multi-aterm:multi-aterm:0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:wterm:wterm:*:*:*:*:*:*:*:*
- cpe:2.3:a:wterm:wterm:6.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:wterm:wterm:6.2.6:*:*:*:*:*:*:*