1. CVE-Search
  2. CVE-2003-0977
ID CVE-2003-0977
Summary CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
References
Vulnerable Configurations
  • cpe:2.3:a:cvs:cvs:1.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.1_p1:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.1_p1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.4:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.5:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.6:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.6:*:*:*:*:*:*:*
  • cpe:2.3:o:slackware:slackware_linux:8.1:*:*:*:*:*:*:*
    cpe:2.3:o:slackware:slackware_linux:8.1:*:*:*:*:*:*:*
  • cpe:2.3:o:slackware:slackware_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:slackware:slackware_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:slackware:slackware_linux:9.1:*:*:*:*:*:*:*
    cpe:2.3:o:slackware:slackware_linux:9.1:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2013-04-29T04:14:35.172-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    family unix
    id oval:org.mitre.oval:def:11528
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    version 30
  • accepted 2007-04-25T19:53:01.591-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    family unix
    id oval:org.mitre.oval:def:855
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat CVS Server root Directory Access Vulnerability
    version 37
  • accepted 2007-04-25T19:53:04.168-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    family unix
    id oval:org.mitre.oval:def:866
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat Enterprise 3 CVS Server root Directory Access Vulnerability
    version 38
redhat via4
advisories
  • rhsa
    id RHSA-2004:003
  • rhsa
    id RHSA-2004:004
rpms cvs-0:1.11.2-14
refmap via4
bugtraq
  • 20031217 [OpenPKG-SA-2003.052] OpenPKG Security Advisory (cvs)
  • 20040129 [FLSA-2004:1207] Updated cvs resolves security vulnerability
conectiva CLA-2004:808
confirm http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1
debian DSA-422
mandrake MDKSA-2003:112
secunia 10601
sgi
  • 20040103-01-U
  • 20040202-01-U
xf cvs-module-file-manipulation(13929)
Last major update 11-10-2017 - 01:29
Published 05-01-2004 - 05:00
Last modified 11-10-2017 - 01:29
Back to Top