Vulnerability Details : CVE-2017-12183
xorg-x11-server before 1.19.5 was missing length validation in XFIXES extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
Vulnerability category: Input validationExecute code
Exploit prediction scoring system (EPSS) score for CVE-2017-12183
Probability of exploitation activity in the next 30 days: 0.79%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 80 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-12183
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-12183
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-12183
-
https://cgit.freedesktop.org/xorg/xserver/commit/?id=55caa8b08c84af2b50fbc936cf334a5a93dd7db5
xorg/xserver - X server (mirrored from https://gitlab.freedesktop.org/xorg/xserver)Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html
[SECURITY] [DLA 1186-1] xorg-server security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2017/dsa-4000
Debian -- Security Information -- DSA-4000-1 xorg-serverThird Party Advisory
-
https://security.gentoo.org/glsa/201711-05
X.Org Server: Multiple vulnerabilities (GLSA 201711-05) — Gentoo securityThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1509224
1509224 – (CVE-2017-12183) CVE-2017-12183 xorg-x11-server: unvalidated lengths in XFIXES extensionIssue Tracking;Patch;Third Party Advisory;VDB Entry
Products affected by CVE-2017-12183
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*