Cyber Resilience

CVE-2019-3010

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 October 2019

Published
16 October 2019
Modified
27 October 2025
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5348 98.0th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-3010 is a high-severity an unspecified weakness vulnerability in Oracle Solaris. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-3010 is a vulnerability in the XScreenSaver component of Oracle Solaris version 11. It is rated with a CVSS 3.0 base score of 8.8 and described as easily exploitable, allowing impacts to confidentiality, integrity, and availability with a changed scope that can affect additional products beyond Solaris itself.

A low-privileged attacker who already has logon access to the host running Oracle Solaris can leverage the flaw to fully compromise and take over the system. The attack requires no user interaction and occurs locally on the affected infrastructure.

Public references include Oracle's Critical Patch Update for October 2019, which addresses the issue, along with exploit code and technical details published on Packet Storm and Full Disclosure lists in October 2019.

Public exploit material for the vulnerability has been available since disclosure.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While…

more

the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
solaris
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the low-privileged local attacker’s ability to escalate and take over Solaris via the XScreenSaver flaw by enforcing only the minimum rights needed for logged-in users.

prevent

Requires timely application of the October 2019 Critical Patch Update that removes the XScreenSaver vulnerability before local exploitation can succeed.

prevent

Enforces access-control decisions at the OS level so that even an authenticated local user cannot abuse the XScreenSaver component to gain unauthorized system takeover.

References