ID CVE-2002-1138
Summary Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:data_engine:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:data_engine:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:data_engine:2000:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:data_engine:2000:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:7.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:7.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:7.0:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:7.0:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:7.0:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:7.0:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:7.0:sp4:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:7.0:sp4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:2000:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:2000:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:2000:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:2000:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:2000:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:2000:sp2:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 12-10-2018 - 21:31)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
ciac N-003
xf mssql-agent-create-files(10257)
Last major update 12-10-2018 - 21:31
Published 11-10-2002 - 04:00
Last modified 12-10-2018 - 21:31
Back to Top