ID CVE-2003-0015
Summary Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands.
References
Vulnerable Configurations
  • FreeBSD 4.4
    cpe:2.3:o:freebsd:freebsd:4.4
  • FreeBSD 4.5
    cpe:2.3:o:freebsd:freebsd:4.5
  • FreeBSD 4.6
    cpe:2.3:o:freebsd:freebsd:4.6
  • FreeBSD 4.7
    cpe:2.3:o:freebsd:freebsd:4.7
  • FreeBSD 5.0
    cpe:2.3:o:freebsd:freebsd:5.0
  • cpe:2.3:a:cvs:cvs:1.10.7
    cpe:2.3:a:cvs:cvs:1.10.7
  • cpe:2.3:a:cvs:cvs:1.10.8
    cpe:2.3:a:cvs:cvs:1.10.8
  • cpe:2.3:a:cvs:cvs:1.11
    cpe:2.3:a:cvs:cvs:1.11
  • cpe:2.3:a:cvs:cvs:1.11.1
    cpe:2.3:a:cvs:cvs:1.11.1
  • cpe:2.3:a:cvs:cvs:1.11.1p1
    cpe:2.3:a:cvs:cvs:1.11.1p1
  • cpe:2.3:a:cvs:cvs:1.11.2
    cpe:2.3:a:cvs:cvs:1.11.2
  • cpe:2.3:a:cvs:cvs:1.11.3
    cpe:2.3:a:cvs:cvs:1.11.3
  • cpe:2.3:a:cvs:cvs:1.11.4
    cpe:2.3:a:cvs:cvs:1.11.4
CVSS
Base: 7.5 (as of 06-10-2016 - 08:33)
Impact:
Exploitability:
CWE CWE-415
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description CVS 1.11.x Directory Request Double Free Heap Corruption Vulnerability. CVE-2003-0015. Remote exploit for linux platform
id EDB-ID:22187
last seen 2016-02-02
modified 2003-01-20
published 2003-01-20
reporter Stefan Esser
source https://www.exploit-db.com/download/22187/
title CVS 1.11.x - Directory Request Double Free Heap Corruption Vulnerability
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_18708.NASL
    description New cvs packages are available to fix a security vulnerability.
    last seen 2016-09-26
    modified 2011-05-28
    plugin id 18708
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18708
    title SSA-18708 New CVS packages available
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-233.NASL
    description Stefan Esser discovered a problem in cvs, a concurrent versions system, which is used for many Free Software projects. The current version contains a flaw that can be used by a remote attacker to execute arbitrary code on the CVS server under the user id the CVS server runs as. Anonymous read-only access is sufficient to exploit this problem.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15070
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15070
    title Debian DSA-233-1 : cvs - doubly freed memory
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2003_0007.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2003:0007 (cvs). CVS (Concurrent Versions System) is a version control system which helps to manage concurrent editing of files by various authors. Stefan Esser of e-matters reported a 'double free' bug in CVS server code for handling directory requests. This free() call allows an attacker with CVS read access to compromise a CVS server. Additionally two features ('Update-prog' and 'Checkin-prog') were disabled to stop clients with write access to execute arbitrary code on the server. These features may be configurable at run-time in future releases of CVS server. There is no temporary fix known other then disable public access to the CVS server. You do not need to update the cvs package as long as you need 'Update-prog' and 'Checkin-prog' feature and work in a trusted environment. Otherwise install the new packages from our FTP servers please. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 13772
    published 2004-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13772
    title SUSE-SA:2003:0007: cvs
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2003-009.NASL
    description Two vulnerabilities were discoverd by Stefen Esser in the cvs program. The first is an exploitable double free() bug within the server, which can be used to execute arbitrary code on the CVS server. To accomplish this, the attacker must have an anonymous read-only login to the CVS server. The second vulnerability is with the Checkin-prog and Update-prog commands. If a client has write permission, he can use these commands to execute programs outside of the scope of CVS, the output of which will be sent as output to the client. This update fixes the double free() vulnerability and removes the Checkin-prog and Update-prog commands from CVS.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13994
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13994
    title Mandrake Linux Security Advisory : cvs (MDKSA-2003:009)
  • NASL family Misc.
    NASL id CVS_DOUBLE_FREE.NASL
    description According to its version number, the CVS server running on the remote host has a double free bug, which could allow a malicious user to elevate their privileges.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 11385
    published 2003-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11385
    title CVS Malformed Directory Request Double-free Privilege Escalation
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2003-013.NASL
    description Updated CVS packages are now available for Red Hat Linux Advanced Server. These updates fix a vulnerability which would permit arbitrary command execution on servers configured to allow anonymous read-only access. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server. On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server. All users of CVS are advised to upgrade to these packages which contain patches to correct the double-free bug. Our thanks go to Stefan Esser of e-matters for reporting this issue to us.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 12351
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12351
    title RHEL 2.1 : cvs (RHSA-2003:013)
redhat via4
advisories
  • rhsa
    id RHSA-2003:012
  • rhsa
    id RHSA-2003:013
refmap via4
bid 6650
bugtraq
  • 20030122 [security@slackware.com: [slackware-security] New CVS packages available]
  • 20030124 Test program for CVS double-free.
  • 20030202 Exploit for CVS double free() for Linux pserver
caldera CSSA-2003-006
cert CA-2003-02
cert-vn VU#650937
ciac N-032
confirm http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&JServSessionIdservlets=5of2iuhr14
debian DSA-233
freebsd FreeBSD-SA-03:01
fulldisc 20030120 Advisory 01/2003: CVS remote vulnerability
mandrake MDKSA-2003:009
misc http://security.e-matters.de/advisories/012003.html
suse SuSE-SA:2003:0007
vulnwatch 20030120 Advisory 01/2003: CVS remote vulnerability
xf cvs-doublefree-memory-corruption(11108)
Last major update 17-10-2016 - 22:28
Published 07-02-2003 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top