CVE-2006-7236 - The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWind

CVE-2006-7236

Summary

The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.

References

Vulnerable Configurations

cpe:2.3:a:invisible-island:xterm:_nil_:*:*:*:*:*:*:*
cpe:2.3:a:invisible-island:xterm:_nil_:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
cpe:2.3:o:ubuntu:linux:*:*:*:*:*:*:*:*
cpe:2.3:o:ubuntu:linux:*:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 03-10-2018 - 21:45)
Impact:
Exploitability:

CWE

CWE-16

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

refmap via4

confirm	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
secunia	33388
ubuntu	USN-703-1

statements via4

contributor	Tomas Hoger
lastmodified	2009-01-21
organization	Red Hat
statement	Not vulnerable. This issue did not affect the versions of the xterm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5, and the version of the XFree86 (providing xterm) and hanterm-xf packages, as shipped with Red Hat Enterprise Linux 2.1.

Last major update

03-10-2018 - 21:45

Published

02-01-2009 - 18:11

Last modified

03-10-2018 - 21:45