Vulnerability Details : CVE-2024-0408
A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
Products affected by CVE-2024-0408
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
- cpe:2.3:a:x.org:xwayland:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
- cpe:2.3:a:tigervnc:tigervnc:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2024-0408
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 1 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-0408
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST | 2024-01-30 |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
Red Hat, Inc. | 2024-01-18 |
CWE ids for CVE-2024-0408
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2024-0408
-
https://security.netapp.com/advisory/ntap-20240307-0006/
January 2024 X.Org X Server 21.1.11 Vulnerabilities in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/
[SECURITY] Fedora 39 Update: tigervnc-1.13.1-11.fc39 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:2995
RHSA-2024:2995 - Security Advisory - Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC/
[SECURITY] Fedora 38 Update: xorg-x11-server-Xwayland-22.1.9-5.fc38 - package-announce - Fedora Mailing-Lists
-
https://bugzilla.redhat.com/show_bug.cgi?id=2257689
2257689 – (CVE-2024-0408) CVE-2024-0408 xorg-x11-server: SELinux unlabeled GLX PBufferIssue Tracking
-
https://security.gentoo.org/glsa/202401-30
X.Org X Server, XWayland: Multiple Vulnerabilities (GLSA 202401-30) — Gentoo security
-
https://access.redhat.com/errata/RHSA-2024:2170
RHSA-2024:2170 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:2169
RHSA-2024:2169 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/security/cve/CVE-2024-0408
CVE-2024-0408- Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:2996
RHSA-2024:2996 - Security Advisory - Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK/
[SECURITY] Fedora 39 Update: xorg-x11-server-Xwayland-23.2.4-1.fc39 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:0320
RHSA-2024:0320 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2024/01/msg00016.html
[SECURITY] [DLA 3721-1] xorg-server security updateMailing List;Third Party Advisory
Jump to