DescriptionThe client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)bullseye (security), bullseye1:8.4p1-5+deb11u3fixed
bookworm (security)1:9.2p1-2+deb12u3fixed
sid, trixie1:9.7p1-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[wheezy] - openssh <no-dsa> (Minor issue)
[squeeze] - openssh <no-dsa> (Minor issue)
Upstream commit:
which needs to be applied after:
Background information on X11 SECURITY extension and SSH:
Red Hat Bugzilla entry:
vulnerability is partly due to /etc/X11/Xsession.d/35x11-common_xhost-local introduced in x11-common in 1:7.6+9 (wheezy and up)
Upstream announce:

Search for package or bug name: Reporting problems