Vulnerability Details : CVE-2021-34557
XScreenSaver 5.45 can be bypassed if the machine has more than ten disconnectable video outputs. A buffer overflow in update_screen_layout() allows an attacker to bypass the standard screen lock authentication mechanism by crashing XScreenSaver. The attacker must physically disconnect many video outputs.
Vulnerability category: Overflow
Products affected by CVE-2021-34557
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:xscreensaver_project:xscreensaver:5.45:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-34557
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-34557
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
NIST | |
4.6
|
MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
0.9
|
3.6
|
NIST |
CWE ids for CVE-2021-34557
-
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-34557
-
http://www.openwall.com/lists/oss-security/2021/07/06/2
oss-security - xscreensaver 5.45 crashExploit;Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/06/11/1
oss-security - Re: XScreenSaver 5.45: Disconnecting a video output can cause XScreenSaver to crash and unlockMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TC4QB7TRS4GS7LDXQQ4PC6J3LVFJYISV/
[SECURITY] Fedora 33 Update: xscreensaver-5.45-2.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.openwall.com/lists/oss-security/2021/06/05/1
oss-security - XScreenSaver 5.45: Disconnecting a video output can cause XScreenSaver to crash and unlockExploit;Mailing List;Third Party Advisory
-
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-068-2021.txt
qubes-secpack/qsb-068-2021.txt at master · QubesOS/qubes-secpack · GitHubExploit;Third Party Advisory
-
https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
qubes-xscreensaver/0001-Fix-updating-outputs-info.patch at master · QubesOS/qubes-xscreensaver · GitHubPatch;Third Party Advisory
-
https://github.com/QubesOS/qubes-issues/issues/6595
Xscreensaver dies unexpectedly, cannot lock screen · Issue #6595 · QubesOS/qubes-issues · GitHubIssue Tracking;Third Party Advisory
Jump to