Description
The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket.
References (4)
Core 4
Core References
Vendor Advisory mailing-list
x_refsource_mlist
http://lists.freedesktop.org/archives/wayland-devel/2015-June/022548.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/75535
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-64
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-06/msg00044.html
Scores
EPSS
0.0006
EPSS Percentile
20.2%
Details
CWE
CWE-264
Status
published
Products (12)
opensuse/opensuse
13.2
x.org/x_server
1.16.0
x.org/x_server
1.16.1
x.org/x_server
1.16.1.901
x.org/x_server
1.16.2
x.org/x_server
1.16.2.901
x.org/x_server
1.16.3
x.org/x_server
1.17.0
x.org/xorg-server
1.16.4
x.org/xorg-server
1.16.99.901
... and 2 more
Published
Jul 01, 2015
Tracked Since
Feb 18, 2026