{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-4009", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T17:16:03.422Z", "dateReserved": "2021-11-23T00:00:00", "datePublished": "2021-12-17T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-05-30T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}], "affected": [{"vendor": "n/a", "product": "xorg-x11-server", "versions": [{"version": "xorg-x11-server 21.1.2, xorg-x11-server 1.20.14", "status": "affected"}]}], "references": [{"url": "https://lists.x.org/archives/xorg-announce/2021-December/003122.html"}, {"url": "https://lists.x.org/archives/xorg-announce/2021-December/003124.html"}, {"name": "FEDORA-2021-2eb603951b", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDHYZM6FII35JA7J275MFCJO6ADJUPQX/"}, {"name": "FEDORA-2021-a7fd510294", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57DCF726O5LLTST4NBL5PQ7DLPB46HT/"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1548/"}, {"name": "DSA-5027", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-5027"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2869-1] xorg-server security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00035.html"}, {"name": "FEDORA-2021-69e96c8f68", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKLSZCY47QK4RCJFXITYFALCGPJAFXOK/"}, {"name": "FEDORA-2021-664a6554a1", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXTRPFEQLFZ6NT2LPLZEID664RGC3OCC/"}, {"url": "https://security.netapp.com/advisory/ntap-20220114-0004/"}, {"name": "GLSA-202305-30", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-30"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-119", "cweId": "CWE-119"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:16:03.422Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.x.org/archives/xorg-announce/2021-December/003122.html", "tags": ["x_transferred"]}, {"url": "https://lists.x.org/archives/xorg-announce/2021-December/003124.html", "tags": ["x_transferred"]}, {"name": "FEDORA-2021-2eb603951b", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDHYZM6FII35JA7J275MFCJO6ADJUPQX/"}, {"name": "FEDORA-2021-a7fd510294", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57DCF726O5LLTST4NBL5PQ7DLPB46HT/"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1548/", "tags": ["x_transferred"]}, {"name": "DSA-5027", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-5027"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2869-1] xorg-server security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00035.html"}, {"name": "FEDORA-2021-69e96c8f68", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKLSZCY47QK4RCJFXITYFALCGPJAFXOK/"}, {"name": "FEDORA-2021-664a6554a1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXTRPFEQLFZ6NT2LPLZEID664RGC3OCC/"}, {"url": "https://security.netapp.com/advisory/ntap-20220114-0004/", "tags": ["x_transferred"]}, {"name": "GLSA-202305-30", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-30"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "096E7626-AD92-4BBB-A8A7-D227D878C93F", "versionEndExcluding": "1.20.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:x.org:x_server:21.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "77BB2090-B22C-4CB2-B349-36DD0797E2DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:x.org:x_server:21.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "032AE0F8-5B3D-4C79-ACDB-3553B02F50A4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}, {"lang": "es", "value": "Se ha encontrado un fallo en xorg-x11-server en versiones anteriores a 21.1.2 y anteriores a 1.20.14. Puede producirse un acceso fuera de l\u00edmites en la funci\u00f3n SProcXFixesCreatePointerBarrier. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\u00ed como la disponibilidad del sistema"}], "id": "CVE-2021-4009", "lastModified": "2023-11-07T03:40:05.827", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-17T17:15:13.417", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00035.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKLSZCY47QK4RCJFXITYFALCGPJAFXOK/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXTRPFEQLFZ6NT2LPLZEID664RGC3OCC/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDHYZM6FII35JA7J275MFCJO6ADJUPQX/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57DCF726O5LLTST4NBL5PQ7DLPB46HT/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://lists.x.org/archives/xorg-announce/2021-December/003122.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://lists.x.org/archives/xorg-announce/2021-December/003124.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202305-30"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220114-0004/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5027"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1548/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Jan-Niklas Sohn (Trend Micro Zero Day Initiative) for reporting this issue. Upstream acknowledges the Xorg project as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:0003", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "xorg-x11-server-0:1.20.4-17.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-01-03T00:00:00Z"}, {"advisory": "RHSA-2022:1917", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "xorg-x11-server-0:1.20.11-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:1917", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "xorg-x11-server-Xwayland-0:21.1.3-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "xorg-x11-server: SProcXFixesCreatePointerBarrier out-of-bounds access", "id": "2026072", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2026072"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "A flaw was found in xorg-x11-server. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function."], "name": "CVE-2021-4009", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "xorg-x11-server", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "xorg-x11-server", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "xorg-x11-server-Xwayland", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-12-14T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-4009\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-4009\nhttps://lists.x.org/archives/xorg-announce/2021-December/003122.html\nhttps://lists.x.org/archives/xorg-announce/2021-December/003124.html"], "statement": "Xorg server does not run with root privileges in Red Hat Enterprise Linux 8, therefore this flaw has been rated as having moderate impact.", "threat_severity": "Important", "upstream_fix": "xorg-x11-server 21.1.2, xorg-x11-server 1.20.14"}