Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200404-13
HistoryApr 14, 2004 - 12:00 a.m.

CVS Server and Client Vulnerabilities

2004-04-1400:00:00
Gentoo Foundation
security.gentoo.org
16

0.011 Low

EPSS

Percentile

84.3%

JSON

Background

CVS, which stands for Concurrent Versions System, is a client/server application which tracks changes to sets of files. It allows multiple users to work concurrently on files, and then merge their changes back into the main tree (which can be on a remote system). It also allows branching, or maintaining separate versions for files.

Description

There are two vulnerabilities in CVS; one in the server and one in the client. The server vulnerability allows a malicious client to request the contents of any RCS file to which the server has permission, even those not located under $CVSROOT. The client vulnerability allows a malicious server to overwrite files on the client machine anywhere the client has permissions.

Impact

Arbitrary files may be read or written on CVS clients and servers by anybody with access to the CVS tree.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest stable version of CVS.

Resolution

All CVS users should upgrade to the latest stable version.

 # emerge sync
 
 # emerge -pv ">=dev-util/cvs-1.11.15"
 # emerge ">=dev-util/cvs-1.11.15"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-util/cvs<= 1.11.14UNKNOWN

Related

nessus 8
openvas 10
redhat 1
debian 1
freebsd_advisory 1
ubuntucve 2
cvelist 2
cve 2
osv 1
slackware 1
freebsd 1
debiancve 2
altlinux 1
suse 1
nessus
nessus
FreeBSD : CVS path validation errors (32)
2004-07-06 00:00:00
GLSA-200404-13 : CVS Server and Client Vulnerabilities
2004-08-30 00:00:00
Debian DSA-486-1 : cvs - several vulnerabilities
2004-09-29 00:00:00
openvas
openvas
Slackware Advisory SSA:2004-108-02 cvs security update
2012-09-11 00:00:00
FreeBSD Security Advisory (FreeBSD-SA-04:07.cvs.asc)
2008-09-04 00:00:00
Gentoo Security Advisory GLSA 200404-13 (cvs)
2008-09-24 00:00:00
redhat
redhat
(RHSA-2004:153) cvs security update
2004-04-14 00:00:00
debian
debian
[SECURITY] [DSA 486-1] New cvs packages fix multiple vulnerabilities
2004-04-16 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-04:07.cvs
2004-04-15 00:00:00
ubuntucve
ubuntucve
CVE-2004-0180
2004-06-01 00:00:00
CVE-2004-0405
2004-06-01 00:00:00
cvelist
cvelist
CVE-2004-0180
2004-04-16 04:00:00
CVE-2004-0405
2004-04-17 04:00:00
cve
cve
CVE-2004-0180
2004-06-01 04:00:00
CVE-2004-0405
2004-06-01 04:00:00
osv
osv
cvs - several vulnerabilities
2004-04-16 00:00:00
slackware
slackware
cvs security update
2004-04-18 16:40:41
freebsd
freebsd
CVS path validation errors
2004-04-14 00:00:00
debiancve
debiancve
CVE-2004-0180
2004-06-01 04:00:00
CVE-2004-0405
2004-06-01 04:00:00
altlinux
altlinux
Security fix for the ALT Linux 5 package cvs version 1.11.14-alt2
2004-04-07 00:00:00
suse
suse
remote code execution in cvs
2004-04-14 15:54:44

0.011 Low

EPSS

Percentile

84.3%

JSON
Related for GLSA-200404-13
nessus8openvas10redhat1debian1freebsd_advisory1ubuntucve2cvelist2cve2osv1slackware1freebsd1debiancve2altlinux1suse1