Lucene search

[email protected]CVE-2008-3323

HistoryJul 28, 2008 - 5:41 p.m.

CVE-2008-3323

2008-07-2817:41:00

CWE-20

[email protected]

web.nvd.nist.gov

cygwin

setup.exe

remote code execution

package list

security vulnerability

7.6 High

AI Score

Confidence

Low

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.008 Low

EPSS

Percentile

81.5%

JSON

setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package.

CPENameOperatorVersion
redhat:cygwinredhat cygwinle1.7

CPE	Name	Operator	Version
redhat:cygwin	redhat cygwin	le	1.7

References

cygwin.com/ml/cygwin-announce/2008-08/msg00001.html

secunia.com/advisories/31271

securityreason.com/securityalert/4051

www.security-objectives.com/advisories/SECOBJADV-2008-02.txt

www.securityfocus.com/archive/1/494756/100/0/threaded

www.securityfocus.com/bid/30375

www.vupen.com/english/advisories/2008/2321

bugzilla.redhat.com/show_bug.cgi?id=449929

exchange.xforce.ibmcloud.com/vulnerabilities/44047

7.6 High

AI Score

Confidence

Low

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.008 Low

EPSS

Percentile

81.5%

JSON

Related for CVE-2008-3323

seebug2 prion1 securityvulns1