rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:H/Au:N/C:P/I:P/A:P
Vendors Products
Multi-aterm
  • Multi-aterm
Eterm
  • Eterm
Rxvt
  • Rxvt
Wterm
  • Wterm
Aterm
  • Aterm
Mrxvt
  • Mrxvt
Rxvt-unicode
  • Rxvt-unicode

Configuration 1 [-]

OR cpe:2.3:a:aterm:aterm:*:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.1.0:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.1:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.2:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.3:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.4:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.5:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.3.6:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:1.00:beta1:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:1.00:beta2:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:1.00:beta3:*:*:*:*:*:*
cpe:2.3:a:aterm:aterm:1.00:beta4:*:*:*:*:*:*
cpe:2.3:a:eterm:eterm:*:*:*:*:*:*:*:*
cpe:2.3:a:eterm:eterm:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:mrxvt:mrxvt:*:*:*:*:*:*:*:*
cpe:2.3:a:mrxvt:mrxvt:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:multi-aterm:multi-aterm:*:*:*:*:*:*:*:*
cpe:2.3:a:multi-aterm:multi-aterm:0.0.1:*:*:*:*:*:*:*
cpe:2.3:a:multi-aterm:multi-aterm:0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:multi-aterm:multi-aterm:0.0.4:*:*:*:*:*:*:*
cpe:2.3:a:multi-aterm:multi-aterm:0.0.5:*:*:*:*:*:*:*
cpe:2.3:a:multi-aterm:multi-aterm:0.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:*:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.6.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.6.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.6.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.7.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.7.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.7.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt:rxvt:2.7.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:*:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.91:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:6.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:7.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.0:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.1:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.2:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.3:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.4:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.5:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.5a:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.6:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.7:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.8:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:8.9:*:*:*:*:*:*:*
cpe:2.3:a:rxvt-unicode:rxvt-unicode:9.0:*:*:*:*:*:*:*
cpe:2.3:a:wterm:wterm:*:*:*:*:*:*:*:*
cpe:2.3:a:wterm:wterm:6.2.5:*:*:*:*:*:*:*
cpe:2.3:a:wterm:wterm:6.2.6:*:*:*:*:*:*:*
References
Link Resource
http://article.gmane.org/gmane.comp.security.oss.general/122
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296 Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
http://secunia.com/advisories/29576 Vendor Advisory
http://secunia.com/advisories/30224 Vendor Advisory
http://secunia.com/advisories/30225 Vendor Advisory
http://secunia.com/advisories/30226 Vendor Advisory
http://secunia.com/advisories/30227 Vendor Advisory
http://secunia.com/advisories/30229 Vendor Advisory
http://secunia.com/advisories/31687 Vendor Advisory
http://security.gentoo.org/glsa/glsa-200805-03.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:161
http://www.mandriva.com/security/advisories?name=MDVSA-2008:221
http://www.securityfocus.com/bid/28512 Patch
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2008-04-07T17:00:00

Updated: 2008-05-13T09:00:00

Reserved: 2008-03-04T00:00:00

Link: CVE-2008-1142

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2008-04-07T17:44:00.000

Modified: 2009-02-26T05:00:00.000

Link: CVE-2008-1142

JSON object: View

cve-icon Redhat Information

No data.

CWE