CVE-2019-5068 : An exploitable shared memory permissions vulnerability exists in the functionali

An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability.

Published 2019-11-05 22:15:14

Updated 2022-06-21 19:23:16

Source Talos

View at NVD, CVE.org

Products affected by CVE-2019-5068

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.10
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Mesa3d » Mesa » Version: 19.1.2
cpe:2.3:a:mesa3d:mesa:19.1.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-5068

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-5068

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:P/I:P/A:N	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
5.1	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	2.5	2.5	Talos
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
4.4	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	1.8	2.5	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2019-5068

CWE-277 Insecure Inherited Permissions

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

Assigned by: talos-cna@cisco.com (Secondary)
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-5068

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00037.html

[security-announce] openSUSE-SU-2020:0084-1: moderate: Security update f
Mailing List;Third Party Advisory
https://gitlab.freedesktop.org/mesa/mesa/-/commit/02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc

Call shmget() with permission 0600 instead of 0777 (02c3dad0) · Commits · Mesa / mesa · GitLab
Patch;Third Party Advisory
https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html

[Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777
Mailing List;Patch;Third Party Advisory
https://usn.ubuntu.com/4271-1/

USN-4271-1: Mesa vulnerability | Ubuntu security notices
Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857

TALOS-2019-0857 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
Exploit;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/11/msg00013.html

[SECURITY] [DLA 1993-1] mesa security update
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2019-5068

Products affected by CVE-2019-5068

Exploit prediction scoring system (EPSS) score for CVE-2019-5068

CVSS scores for CVE-2019-5068

CWE ids for CVE-2019-5068

References for CVE-2019-5068