CVE-2002-0643

2002-07-2304:00:00

[email protected]

web.nvd.nist.gov

msde 1.0

sql server 2000

setup.iss files

insecure permissions

sensitive data

weak encryption

passwords

privileges

6.8 Medium

AI Score

Confidence

Low

4.6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

25.5%

JSON

The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows local users to obtain sensitive data, including weakly encrypted passwords, to gain privileges, aka “SQL Server Installation Process May Leave Passwords on System.”

Affected configurations

NVD

Node

microsoftdata_engineMatch1.0

microsoftsql_serverMatch7.0

microsoftsql_serverMatch7.0sp1

microsoftsql_serverMatch7.0sp2

microsoftsql_serverMatch7.0sp3

microsoftsql_serverMatch2000

microsoftsql_serverMatch2000sp1

microsoftsql_serverMatch2000sp2

CPENameOperatorVersion
microsoft:data_enginemicrosoft data engineeq1.0
microsoft:sql_servermicrosoft sql servereq7.0
microsoft:sql_servermicrosoft sql servereq2000