CVE-2000-0680 - The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Updat

CVE-2000-0680

Summary

The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action.

References

http://www.securityfocus.com/bid/1524
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org

Vulnerable Configurations

cpe:2.3:a:cvs:cvs:1.10.8:*:*:*:*:*:*:*
cpe:2.3:a:cvs:cvs:1.10.8:*:*:*:*:*:*:*

CVSS

Base:	7.2 (as of 05-09-2008 - 20:21)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:L/Au:N/C:C/I:C/A:C

refmap via4

bid	1524
bugtraq	20000728 cvs security problem

Last major update

05-09-2008 - 20:21

Published

20-10-2000 - 04:00

Last modified

05-09-2008 - 20:21