7.6 High
AI Score
Confidence
Low
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.008 Low
EPSS
Percentile
81.5%
setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package.
CPE | Name | Operator | Version |
---|---|---|---|
redhat:cygwin | redhat cygwin | le | 1.7 |
cygwin.com/ml/cygwin-announce/2008-08/msg00001.html
secunia.com/advisories/31271
securityreason.com/securityalert/4051
www.security-objectives.com/advisories/SECOBJADV-2008-02.txt
www.securityfocus.com/archive/1/494756/100/0/threaded
www.securityfocus.com/bid/30375
www.vupen.com/english/advisories/2008/2321
bugzilla.redhat.com/show_bug.cgi?id=449929
exchange.xforce.ibmcloud.com/vulnerabilities/44047