ID CVE-2004-0414
Summary CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.
References
Vulnerable Configurations
  • cpe:2.3:a:cvs:cvs:1.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.1_p1:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.1_p1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.4:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.5:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.6:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.6:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.10:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.10:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.11:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.11:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.14:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.14:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.15:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.15:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.11.16:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.11.16:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.12.5:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.12.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.12.7:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.12.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cvs:cvs:1.12.8:*:*:*:*:*:*:*
    cpe:2.3:a:cvs:cvs:1.12.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openpkg:openpkg:*:*:*:*:*:*:*:*
    cpe:2.3:a:openpkg:openpkg:*:*:*:*:*:*:*:*
  • cpe:2.3:a:openpkg:openpkg:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:openpkg:openpkg:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openpkg:openpkg:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpkg:openpkg:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sgi:propack:2.4:*:*:*:*:*:*:*
    cpe:2.3:a:sgi:propack:2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:sgi:propack:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:sgi:propack:3.0:*:*:*:*:*:*:*
  • cpe:2.3:o:gentoo:linux:1.4:*:*:*:*:*:*:*
    cpe:2.3:o:gentoo:linux:1.4:*:*:*:*:*:*:*
  • cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*
    cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*
  • cpe:2.3:o:openbsd:openbsd:3.4:*:*:*:*:*:*:*
    cpe:2.3:o:openbsd:openbsd:3.4:*:*:*:*:*:*:*
  • cpe:2.3:o:openbsd:openbsd:3.5:*:*:*:*:*:*:*
    cpe:2.3:o:openbsd:openbsd:3.5:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 03-05-2018 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
oval via4
  • accepted 2013-04-29T04:06:49.055-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.
    family unix
    id oval:org.mitre.oval:def:10575
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.
    version 29
  • accepted 2004-08-04T12:00:00.000-04:00
    class vulnerability
    contributors
    name Jay Beale
    organization Bastille Linux
    description CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.
    family unix
    id oval:org.mitre.oval:def:993
    status accepted
    submitted 2004-06-29T12:00:00.000-04:00
    title CVS Improper Handling of Malformed Entry Lines
    version 4
redhat via4
advisories
rhsa
id RHSA-2004:233
rpms
  • cvs-0:1.11.2-24
  • cvs-debuginfo-0:1.11.2-24
refmap via4
bugtraq 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)
debian DSA-517
fulldisc 20040609 Advisory 09/2004: More CVS remote vulnerabilities
gentoo GLSA-200406-06
mandrake MDKSA-2004:058
misc http://security.e-matters.de/advisories/092004.html
sgi
  • 20040604-01-U
  • 20040605-01-U
suse SuSE-SA:2004:015
Last major update 03-05-2018 - 01:29
Published 06-08-2004 - 04:00
Last modified 03-05-2018 - 01:29
Back to Top