CVE-2017-2624

Source
https://cve.org/CVERecord?id=CVE-2017-2624
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-2624.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-2624
Downstream
Related
Published
2018-07-27T18:29:00.827Z
Modified
2026-07-08T11:49:33.992574Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

References

Affected packages

Git / gitlab.freedesktop.org/xorg/xserver

Affected ranges

Type
GIT
Repo
https://gitlab.freedesktop.org/xorg/xserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
Last affected
Fixed
Database specific
{
    "cpe": [
        "cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*",
        "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.19.4"
        },
        {
            "introduced": "7.0"
        },
        {
            "last_affected": "7.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

7.*
7.0
Other
XORG-7_0
XORG-7_0_99_901
pre-xgldrop-merge
xorg-server-1_0_99_1
xorg-server-1_0_99_2
xorg-server-1_0_99_901
xorg-server-1_1_99_1
xorg-server-1_1_99_2
xorg-server-1.*
xorg-server-1.1.99.3
xorg-server-1.10.0
xorg-server-1.10.99.901
xorg-server-1.10.99.902
xorg-server-1.11.0
xorg-server-1.11.99.1
xorg-server-1.11.99.901
xorg-server-1.11.99.902
xorg-server-1.11.99.903
xorg-server-1.12.0
xorg-server-1.12.99.901
xorg-server-1.12.99.902
xorg-server-1.12.99.903
xorg-server-1.12.99.904
xorg-server-1.12.99.905
xorg-server-1.13.0
xorg-server-1.13.99.901
xorg-server-1.13.99.902
xorg-server-1.14.0
xorg-server-1.14.99.1
xorg-server-1.14.99.2
xorg-server-1.14.99.3
xorg-server-1.14.99.901
xorg-server-1.14.99.902
xorg-server-1.14.99.903
xorg-server-1.14.99.904
xorg-server-1.14.99.905
xorg-server-1.15.0
xorg-server-1.15.99.901
xorg-server-1.15.99.902
xorg-server-1.15.99.903
xorg-server-1.15.99.904
xorg-server-1.16.0
xorg-server-1.16.99.901
xorg-server-1.16.99.902
xorg-server-1.17.0
xorg-server-1.17.99.901
xorg-server-1.17.99.902
xorg-server-1.18.0
xorg-server-1.18.99.2
xorg-server-1.18.99.901
xorg-server-1.18.99.902
xorg-server-1.19.0
xorg-server-1.19.1
xorg-server-1.19.2
xorg-server-1.19.3
xorg-server-1.19.4
xorg-server-1.5.99.1
xorg-server-1.6.99.900
xorg-server-1.6.99.901
xorg-server-1.7.99.1
xorg-server-1.7.99.2
xorg-server-1.7.99.901
xorg-server-1.7.99.902
xorg-server-1.8.0
xorg-server-1.8.99.901
xorg-server-1.8.99.902
xorg-server-1.8.99.903
xorg-server-1.8.99.904
xorg-server-1.8.99.905
xorg-server-1.8.99.906
xorg-server-1.9.0
xorg-server-1.9.99.901
xorg-server-1.9.99.902
xorg-server-1.9.99.903

Database specific

vanir_signatures
[
    {
        "source": "https://gitlab.freedesktop.org/xorg/xserver@d7ac755f0b618eb1259d93c8a16ec6e39a18627c",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "44675475628667427906411722638807632347",
                "83435234544122330596383337453727725290",
                "246495687630101241807656372490502924673",
                "242654172581604024205415859549940946512"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2017-2624-03d4e614",
        "target": {
            "file": "os/mitauth.c"
        }
    },
    {
        "source": "https://gitlab.freedesktop.org/xorg/xserver@d7ac755f0b618eb1259d93c8a16ec6e39a18627c",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "154472361466984619362077251267719493621",
                "226145445792571596998190020540737906102",
                "265725287014319971204949272950739294120"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2017-2624-d009d9cc",
        "target": {
            "file": "include/os.h"
        }
    }
]
vanir_signatures_modified
"2026-07-08T11:49:33Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-2624.json"