7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
6.6 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.041 Low
EPSS
Percentile
92.2%
Severity: High
Date : 2018-10-29
CVE-ID : CVE-2018-14665
Package : xorg-server
Type : privilege escalation
Remote : Yes
Link : https://security.archlinux.org/AVG-788
The package xorg-server before version 1.20.3-1 is vulnerable to
privilege escalation.
Upgrade to 1.20.3-1.
The problem has been fixed upstream in version 1.20.3.
None.
Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is installed with the setuid bit set and unprivileged users
have the ability to log in to the system via physical console.
The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.
The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.
A local attacker can elevate privileges to root by passing crafted
parameters to the Xorg X server.
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7
https://www.openwall.com/lists/oss-security/2018/10/25/1
https://security.archlinux.org/CVE-2018-14665
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | xorg-server | < 1.20.3-1 | UNKNOWN |
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
6.6 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.041 Low
EPSS
Percentile
92.2%