{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-14361", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-04T12:46:33.907Z", "dateReserved": "2020-06-17T00:00:00", "datePublished": "2020-09-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}], "affected": [{"vendor": "n/a", "product": "xorg-x11-server", "versions": [{"version": "before xorg-x11-server 1.20.9", "status": "affected"}]}], "references": [{"url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869142"}, {"name": "USN-4488-2", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4488-2/"}, {"name": "GLSA-202012-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202012-01"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1418/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-191", "cweId": "CWE-191"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:33.907Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869142", "tags": ["x_transferred"]}, {"name": "USN-4488-2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4488-2/"}, {"name": "GLSA-202012-01", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202012-01"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1418/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6044327C-A09D-4164-BF79-7940D0A6D1C2", "versionEndExcluding": "1.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en X.Org Server versiones anteriores a xorg-x11-server 1.20.9. Un subdesbordamiento de enteros que conlleva a un desbordamiento del b\u00fafer de la pila puede conllevar a una vulnerabilidad de escalada de privilegios. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\u00ed como la disponibilidad del sistema"}], "id": "CVE-2020-14361", "lastModified": "2022-11-03T20:04:21.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-15T19:15:12.823", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869142"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202012-01"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4488-2/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1418/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-191"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Jan-Niklas Sohn (Trend Micro Zero Day Initiative) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:4953", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "xorg-x11-server-0:1.17.4-18.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2020-11-05T00:00:00Z"}, {"advisory": "RHSA-2020:4910", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "xorg-x11-server-0:1.20.4-12.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "egl-wayland-0:1.1.5-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "libdrm-0:2.4.103-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "libglvnd-1:1.3.2-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "libinput-0:1.16.3-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "libwacom-0:1.6-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "libX11-0:1.6.8-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "mesa-0:20.3.3-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "xorg-x11-drivers-0:7.7-30.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1804", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "xorg-x11-server-0:1.20.10-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}], "bugzilla": {"description": "xorg-x11-server: XkbSelectEvents integer underflow privilege escalation vulnerability", "id": "1869142", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869142"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-191", "details": ["A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "A flaw was found in X.Org Server. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2020-14361", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "xorg-x11-server", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "xorg-x11-server", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2020-08-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14361\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14361\nhttps://lists.x.org/archives/xorg-announce/2020-August/003058.html"], "statement": "Xorg server does not run with root privileges in Red Hat Enterprise Linux 8, therefore this flaw has been rated as having moderate impact for Red Hat Enterprise linux 8.", "threat_severity": "Important", "upstream_fix": "xorg-x11-server 1.20.9"}