Vulnerabilities > CVE-2019-19520 - Incorrect Authorization vulnerability in Openbsd 6.6

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
openbsd
CWE-863

Summary

xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.

Vulnerable Configurations

Part Description Count
OS
Openbsd
1

Common Weakness Enumeration (CWE)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/155572/qsa-openbsd.txt
idPACKETSTORM:155572
last seen2019-12-06
published2019-12-05
reporterqualys.com
sourcehttps://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html
titleQualys Security Advisory - OpenBSD Authentication Bypass / Privilege Escalation

The Hacker News

idTHN:46888CC4F1109D706C6033E851E731A9
last seen2019-12-05
modified2019-12-05
published2019-12-05
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/12/openbsd-authentication-vulnerability.html
titleSevere Auth Bypass and Priv-Esc Vulnerabilities Disclosed in OpenBSD