Vulnerability Name:

CVE-2003-1294 (CCN-13904)

Assigned:2003-11-28
Published:2003-11-28
Updated:2017-10-11
Summary:Xscreensaver before 4.15 creates temporary files insecurely in (1) driver/passwd-kerberos.c, (2) driver/xscreensaver-getimage-video, (3) driver/xscreensaver.kss.in, and the (4) vidwhacker and (5) webcollage screensavers, which allows local users to overwrite arbitrary files via a symlink attack.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:File Manipulation
References:Source: SGI
Type: UNKNOWN
20060602-01-U

Source: MITRE
Type: CNA
CVE-2003-1294

Source: MISC
Type: UNKNOWN
http://jwz.livejournal.com/310943.html

Source: CCN
Type: RHSA-2006-0498
xscreensaver security update

Source: CCN
Type: SA20224
XScreenSaver Insecure Temporary File Creation Vulnerability

Source: SECUNIA
Type: UNKNOWN
20224

Source: SECUNIA
Type: UNKNOWN
20226

Source: CCN
Type: SA20456
Avaya Products XScreenSaver Insecure Temporary File Creation Vulnerability

Source: SECUNIA
Type: UNKNOWN
20456

Source: SECUNIA
Type: UNKNOWN
20782

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-107.htm

Source: CCN
Type: ASA-2006-107
xscreensaver security update (RHSA-2006-0498)

Source: CCN
Type: XScreenSaver Web page
XScreenSaver

Source: CONFIRM
Type: UNKNOWN
http://www.novell.com/linux/download/updates/90_i386.html

Source: REDHAT
Type: UNKNOWN
RHSA-2006:0498

Source: BID
Type: UNKNOWN
9125

Source: CCN
Type: BID-9125
SuSE XScreenSaver Package Multiple Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2006-1948

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=124968

Source: CCN
Type: Red Hat Bugzilla Bug 182286
CVE-2003-1294 xscreensaver temporary file flaws

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182286

Source: XF
Type: UNKNOWN
xscreensaver-tmpfile-insecure(13904)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10848

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xscreensaver:xscreensaver:4.05_5cl:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.05_6:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.05_6a:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.05_150:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.07_2:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.08_29135cl:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.09_0:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.10_4:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.10_6:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.10_8:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.10_15:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.11_0:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.12_58:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.12_62:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.14_0:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.14_2:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.14_4:*:*:*:*:*:*:*
  • OR cpe:/a:xscreensaver:xscreensaver:4.14_5:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:3:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:10848
    V
    Xscreensaver before 4.15 creates temporary files insecurely in (1) driver/passwd-kerberos.c, (2) driver/xscreensaver-getimage-video, (3) driver/xscreensaver.kss.in, and the (4) vidwhacker and (5) webcollage screensavers, which allows local users to overwrite arbitrary files via a symlink attack.
    2013-04-29
    oval:com.redhat.rhsa:def:20060498
    P
    RHSA-2006:0498: xscreensaver security update (Moderate)
    2008-03-20
    BACK
    xscreensaver xscreensaver 4.05_5cl
    xscreensaver xscreensaver 4.05_6
    xscreensaver xscreensaver 4.05_6a
    xscreensaver xscreensaver 4.05_150
    xscreensaver xscreensaver 4.07_2
    xscreensaver xscreensaver 4.08_29135cl
    xscreensaver xscreensaver 4.09_0
    xscreensaver xscreensaver 4.10_4
    xscreensaver xscreensaver 4.10_6
    xscreensaver xscreensaver 4.10_8
    xscreensaver xscreensaver 4.10_15
    xscreensaver xscreensaver 4.11_0
    xscreensaver xscreensaver 4.12_58
    xscreensaver xscreensaver 4.12_62
    xscreensaver xscreensaver 4.14_0
    xscreensaver xscreensaver 4.14_2
    xscreensaver xscreensaver 4.14_4
    xscreensaver xscreensaver 4.14_5