CVE-2020-14346 : A flaw was found in xorg-x11-server before 1.20.9. An integer underflow in the X input extension protocol decoding in th

A flaw was found in xorg-x11-server before 1.20.9. An integer underflow in the X input extension protocol decoding in the X server may lead to arbitrary access of memory contents. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Published 2020-09-15 19:15:13

Updated 2022-11-08 20:04:44

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-14346

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 15 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-14346

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-14346

CWE-191 Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2020-14346

https://usn.ubuntu.com/4488-2/

USN-4488-2: X.Org X Server vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1862246

1862246 – (CVE-2020-14346) CVE-2020-14346 xorg-x11-server: Integer underflow in the X input extension protocol
Issue Tracking;Third Party Advisory
https://lists.x.org/archives/xorg-announce/2020-August/003058.html

X.Org server security advisory: August 25, 2020
Mailing List;Patch;Vendor Advisory

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1417/

Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/202012-01

Third Party Advisory

CVEs referencing this url

Products affected by CVE-2020-14346

Redhat » Enterprise Linux » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
X.org » Xorg-server
Versions before (<) 1.20.9
cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions

Vulnerability Details : CVE-2020-14346

Exploit prediction scoring system (EPSS) score for CVE-2020-14346

CVSS scores for CVE-2020-14346

CWE ids for CVE-2020-14346

References for CVE-2020-14346

Products affected by CVE-2020-14346