CVE-2008-1142

rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine.

Published: 2008-04-07 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-1142 is rated Low Risk (24.9/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.36%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2008-1142

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.06% 0.36% +0.30%
2 2025-03-17 0.04% 0.06% +0.02%
3 2023-03-07 0.04%

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-1142

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
3.7 2.0 LOW
AV:L/AC:H/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 1.9 6.4 [email protected]

Weakness enumeration for CVE-2008-1142

OS Trackers for CVE-2008-1142

vendor priority summary link
gentoo normal CVE-2008-1142: 1 GLSA(s) (200805-03), 7 atom(s) (x11-terms/aterm, x11-terms/eterm, …); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-1142
redhat low https://access.redhat.com/security/cve/CVE-2008-1142
ubuntu low CVE-2008-1142 low priority: Ubuntu including 1 source packages (rxvt), 13 status rows across 13 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): not-affected 7, ignored 5, released 1. https://ubuntu.com/security/CVE-2008-1142

Vendor comments (NVD) for CVE-2008-1142

  • Red Hat (2008-04-14T00:00:00)

    Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1142 This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. Due to the minimal security consequences of this issue, we do not intend to fix this in Red Hat Enterprise Linux 2.1. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Affected software / configurations for CVE-2008-1142

Vendor Product Version Raw CPE
aterm aterm <= 1.0.0 cpe:2.3:a:aterm:aterm:*:*:*:*:*:*:*:*
aterm aterm 0.1.0 cpe:2.3:a:aterm:aterm:0.1.0:*:*:*:*:*:*:*
aterm aterm 0.1.1 cpe:2.3:a:aterm:aterm:0.1.1:*:*:*:*:*:*:*
aterm aterm 0.2.0 cpe:2.3:a:aterm:aterm:0.2.0:*:*:*:*:*:*:*
aterm aterm 0.3.0 cpe:2.3:a:aterm:aterm:0.3.0:*:*:*:*:*:*:*
aterm aterm 0.3.1 cpe:2.3:a:aterm:aterm:0.3.1:*:*:*:*:*:*:*
aterm aterm 0.3.2 cpe:2.3:a:aterm:aterm:0.3.2:*:*:*:*:*:*:*
aterm aterm 0.3.3 cpe:2.3:a:aterm:aterm:0.3.3:*:*:*:*:*:*:*
aterm aterm 0.3.4 cpe:2.3:a:aterm:aterm:0.3.4:*:*:*:*:*:*:*
aterm aterm 0.3.5 cpe:2.3:a:aterm:aterm:0.3.5:*:*:*:*:*:*:*
aterm aterm 0.3.6 cpe:2.3:a:aterm:aterm:0.3.6:*:*:*:*:*:*:*
aterm aterm 0.4.0 cpe:2.3:a:aterm:aterm:0.4.0:*:*:*:*:*:*:*
aterm aterm 0.4.1 cpe:2.3:a:aterm:aterm:0.4.1:*:*:*:*:*:*:*
aterm aterm 0.4.2 cpe:2.3:a:aterm:aterm:0.4.2:*:*:*:*:*:*:*
aterm aterm 1.00 cpe:2.3:a:aterm:aterm:1.00:beta1:*:*:*:*:*:*
aterm aterm 1.00 cpe:2.3:a:aterm:aterm:1.00:beta2:*:*:*:*:*:*
aterm aterm 1.00 cpe:2.3:a:aterm:aterm:1.00:beta3:*:*:*:*:*:*
aterm aterm 1.00 cpe:2.3:a:aterm:aterm:1.00:beta4:*:*:*:*:*:*
eterm eterm <= 0.9.3 cpe:2.3:a:eterm:eterm:*:*:*:*:*:*:*:*
eterm eterm 0.9.2 cpe:2.3:a:eterm:eterm:0.9.2:*:*:*:*:*:*:*
mrxvt mrxvt <= 0.5.2 cpe:2.3:a:mrxvt:mrxvt:*:*:*:*:*:*:*:*
mrxvt mrxvt 0.4.2 cpe:2.3:a:mrxvt:mrxvt:0.4.2:*:*:*:*:*:*:*
multi-aterm multi-aterm <= 0.2 cpe:2.3:a:multi-aterm:multi-aterm:*:*:*:*:*:*:*:*
multi-aterm multi-aterm 0.0.1 cpe:2.3:a:multi-aterm:multi-aterm:0.0.1:*:*:*:*:*:*:*
multi-aterm multi-aterm 0.0.3 cpe:2.3:a:multi-aterm:multi-aterm:0.0.3:*:*:*:*:*:*:*
multi-aterm multi-aterm 0.0.4 cpe:2.3:a:multi-aterm:multi-aterm:0.0.4:*:*:*:*:*:*:*
multi-aterm multi-aterm 0.0.5 cpe:2.3:a:multi-aterm:multi-aterm:0.0.5:*:*:*:*:*:*:*
multi-aterm multi-aterm 0.1 cpe:2.3:a:multi-aterm:multi-aterm:0.1:*:*:*:*:*:*:*
rxvt rxvt <= 2.7.9 cpe:2.3:a:rxvt:rxvt:*:*:*:*:*:*:*:*
rxvt rxvt 2.6.1 cpe:2.3:a:rxvt:rxvt:2.6.1:*:*:*:*:*:*:*
rxvt rxvt 2.6.2 cpe:2.3:a:rxvt:rxvt:2.6.2:*:*:*:*:*:*:*
rxvt rxvt 2.6.3 cpe:2.3:a:rxvt:rxvt:2.6.3:*:*:*:*:*:*:*
rxvt rxvt 2.6.4 cpe:2.3:a:rxvt:rxvt:2.6.4:*:*:*:*:*:*:*
rxvt rxvt 2.7.5 cpe:2.3:a:rxvt:rxvt:2.7.5:*:*:*:*:*:*:*
rxvt rxvt 2.7.6 cpe:2.3:a:rxvt:rxvt:2.7.6:*:*:*:*:*:*:*
rxvt rxvt 2.7.7 cpe:2.3:a:rxvt:rxvt:2.7.7:*:*:*:*:*:*:*
rxvt rxvt 2.7.8 cpe:2.3:a:rxvt:rxvt:2.7.8:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode <= 9.01 cpe:2.3:a:rxvt-unicode:rxvt-unicode:*:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.0 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.0:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.1 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.1:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.2 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.2:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.3 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.3:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.4 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.4:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.5 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.5:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.6 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.6:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.7 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.7:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.8 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.8:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.9 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.9:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 1.91 cpe:2.3:a:rxvt-unicode:rxvt-unicode:1.91:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.0 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.0:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.1 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.1:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.2 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.2:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.3 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.3:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.4 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.4:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.5 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.5:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.6 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.6:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.7 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.7:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.8 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.8:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 2.9 cpe:2.3:a:rxvt-unicode:rxvt-unicode:2.9:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.0 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.0:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.1 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.1:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.2 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.2:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.3 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.3:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.4 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.4:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.5 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.5:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.6 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.6:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.7 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.7:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.8 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.8:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 3.9 cpe:2.3:a:rxvt-unicode:rxvt-unicode:3.9:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.0 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.0:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.1 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.1:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.2 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.2:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.3 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.3:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.4 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.4:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.5 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.5:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.6 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.6:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.7 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.7:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.8 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.8:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 4.9 cpe:2.3:a:rxvt-unicode:rxvt-unicode:4.9:*:*:*:*:*:*:*
rxvt-unicode rxvt-unicode 5.0 cpe:2.3:a:rxvt-unicode:rxvt-unicode:5.0:*:*:*:*:*:*:*

References for CVE-2008-1142

URL Tags
http://article.gmane.org/gmane.comp.security.oss.general/122
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296 Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
http://secunia.com/advisories/29576 Vendor Advisory
http://secunia.com/advisories/30224 Vendor Advisory
http://secunia.com/advisories/30225 Vendor Advisory
http://secunia.com/advisories/30226 Vendor Advisory
http://secunia.com/advisories/30227 Vendor Advisory
http://secunia.com/advisories/30229 Vendor Advisory
http://secunia.com/advisories/31687 Vendor Advisory
http://security.gentoo.org/glsa/glsa-200805-03.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:161
http://www.mandriva.com/security/advisories?name=MDVSA-2008:221
http://www.securityfocus.com/bid/28512 Patch
cvelogic Threat Intelligence