Missing Authentication for Critical Function in Debian Linux - CVE-2011-2187
Published: November 27, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35026
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-2187
CWE-ID: CWE-306
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
Debian Linux
Debian Linux
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication.
How to mitigate CVE-2011-2187
Install update from vendor's website.
Sources
- https://access.redhat.com/security/cve/cve-2011-2187
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627382
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2187
- https://security-tracker.debian.org/tracker/CVE-2011-2187
- https://www.jwz.org/xscreensaver/changelog.html
- https://www.openwall.com/lists/oss-security/2011/06/06/17