Lucene search

[email protected]CVE-2003-1033

HistoryApr 15, 2004 - 4:00 a.m.

CVE-2003-1033

2004-04-1504:00:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2003-1033

sap

development tools

instdbmsrv

instlserver

setuid

local users

root privileges

vulnerability

7.4 High

AI Score

Confidence

Low

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.3%

JSON

The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.

CPENameOperatorVersion
sap:sap_dbsap sap dbeq7.3.00
sap:sap_dbsap sap dbeq7.4

CPE	Name	Operator	Version
sap:sap_db	sap sap db	eq	7.3.00
sap:sap_db	sap sap db	eq	7.4

References

listserv.sap.com/pipermail/sapdb.sources/2003-April/000143.html

marc.info/?l=bugtraq&m=105103613727471&w=2

www.securityfocus.com/bid/7407

www.securityfocus.com/bid/7408

exchange.xforce.ibmcloud.com/vulnerabilities/11842

7.4 High

AI Score

Confidence

Low

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.3%

JSON