CVE-2008-1142
Summary
| CVE | CVE-2008-1142 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2008-04-07 17:44:00 UTC |
| Updated | 2026-04-23 00:35:47 UTC |
| Description | rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
LocalAccess Complexity
HighAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:L/AC:H/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Aterm | Aterm | 0.1.0 | All | All | All |
| Application | Aterm | Aterm | 0.1.1 | All | All | All |
| Application | Aterm | Aterm | 0.2.0 | All | All | All |
| Application | Aterm | Aterm | 0.3.0 | All | All | All |
| Application | Aterm | Aterm | 0.3.1 | All | All | All |
| Application | Aterm | Aterm | 0.3.2 | All | All | All |
| Application | Aterm | Aterm | 0.3.3 | All | All | All |
| Application | Aterm | Aterm | 0.3.4 | All | All | All |
| Application | Aterm | Aterm | 0.3.5 | All | All | All |
| Application | Aterm | Aterm | 0.3.6 | All | All | All |
| Application | Aterm | Aterm | 0.4.0 | All | All | All |
| Application | Aterm | Aterm | 0.4.1 | All | All | All |
| Application | Aterm | Aterm | 0.4.2 | All | All | All |
| Application | Aterm | Aterm | 1.00 | beta1 | All | All |
| Application | Aterm | Aterm | 1.00 | beta2 | All | All |
| Application | Aterm | Aterm | 1.00 | beta3 | All | All |
| Application | Aterm | Aterm | 1.00 | beta4 | All | All |
| Application | Aterm | Aterm | All | All | All | All |
| Application | Eterm | Eterm | 0.9.2 | All | All | All |
| Application | Eterm | Eterm | All | All | All | All |
| Application | Mrxvt | Mrxvt | 0.4.2 | All | All | All |
| Application | Mrxvt | Mrxvt | All | All | All | All |
| Application | Multi-aterm | Multi-aterm | 0.0.1 | All | All | All |
| Application | Multi-aterm | Multi-aterm | 0.0.3 | All | All | All |
| Application | Multi-aterm | Multi-aterm | 0.0.4 | All | All | All |
| Application | Multi-aterm | Multi-aterm | 0.0.5 | All | All | All |
| Application | Multi-aterm | Multi-aterm | 0.1 | All | All | All |
| Application | Multi-aterm | Multi-aterm | All | All | All | All |
| Application | Rxvt | Rxvt | 2.6.1 | All | All | All |
| Application | Rxvt | Rxvt | 2.6.2 | All | All | All |
| Application | Rxvt | Rxvt | 2.6.3 | All | All | All |
| Application | Rxvt | Rxvt | 2.6.4 | All | All | All |
| Application | Rxvt | Rxvt | 2.7.5 | All | All | All |
| Application | Rxvt | Rxvt | 2.7.6 | All | All | All |
| Application | Rxvt | Rxvt | 2.7.7 | All | All | All |
| Application | Rxvt | Rxvt | 2.7.8 | All | All | All |
| Application | Rxvt | Rxvt | All | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 1.91 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 2.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 3.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 4.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 5.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 6.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 6.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 6.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 6.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 7.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.1 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.2 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.3 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.4 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.5 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.5a | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.6 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.7 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.8 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 8.9 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | 9.0 | All | All | All |
| Application | Rxvt-unicode | Rxvt-unicode | All | All | All | All |
| Application | Wterm | Wterm | 6.2.5 | All | All | All |
| Application | Wterm | Wterm | 6.2.6 | All | All | All |
| Application | Wterm | Wterm | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Support / Security / Advisories / / MDVSA-2008:161 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| #469296 - rxvt: [SECURITY] opens terminal on unspecified display - Debian Bug report logs | af854a3a-2127-422b-91ae-364da2661108 | bugs.debian.org | Vendor Advisory |
| SUSE Update for Multiple Packages - Secunia Advisories - Vulnerability Intelligence - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| [security-announce] SUSE Security Summary Report SUSE-SR:2008:017 | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| rxvt-unicode X11 Display Security Issue - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Multiple X11 Terminals Missing DISPLAY Variable Local Arbitrary Command Execution Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Patch |
| mrxvt X11 Display Security Issue - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Support / Security / Advisories / / MDVSA-2008:221 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| Multiple X11 terminals: Local privilege escalation — Gentoo Linux Documentation | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| Gmane -- Mail To News And Back Again | af854a3a-2127-422b-91ae-364da2661108 | article.gmane.org | |
| aterm X11 Display Security Issue - Secunia Advisories - Vulnerability Intelligence - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| wterm X11 Display Security Issue - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Gentoo update for aterm, eterm, rxvt, mrxvt, multi-aterm, wterm, and rxvt-unicode - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| rxvt X11 Display Security Issue - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2008-04-14 | Joshua Bressers | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1142 This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. Due to the minimal security consequences of this issue, we do not intend to fix this in Red Hat Enterprise Linux 2.1. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
There are currently no legacy QID mappings associated with this CVE.