Missing Authentication for Critical Function in Debian Linux
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-2187 |
| CWE-ID | CWE-306 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Missing Authentication for Critical Function
EUVDB-ID: #VU35026
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2011-2187
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication.
MitigationInstall update from vendor's website.
Vulnerable software versionsDebian Linux: 8.0 - 9.0
CPE2.3 External linkshttps://access.redhat.com/security/cve/cve-2011-2187
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627382
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2187
https://security-tracker.debian.org/tracker/CVE-2011-2187
https://www.jwz.org/xscreensaver/changelog.html
https://www.openwall.com/lists/oss-security/2011/06/06/17
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
