Sun Security Vulnerabilities
Unknown vulnerability in (1) loadmodule, and (2) modload if modload is installed with setuid/setgid privileges, in SunOS 4.1.1 through 4.1.3c, and Open Windows 3.0, allows local users to gain root privileges via environment variables, a different vulnerability than CVE-1999-1586.
6.6AI Score
0.001EPSS
The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges.
6.9AI Score
0.001EPSS
loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584.
6.5AI Score
0.001EPSS
/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option.
6AI Score
0.0004EPSS
Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766.
9.8CVSS
8.3AI Score
0.04EPSS
Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database.
6.7AI Score
0.05EPSS
Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database.
6.7AI Score
0.005EPSS
Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option.
7.3AI Score
0.0004EPSS
The recover program in Solstice Backup allows local users to restore sensitive files.
6.6AI Score
0.0004EPSS
The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Administrator to modify passwords for other users, site administrators, and possibly admin (root).
6.5AI Score
0.0004EPSS
The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.
6.9AI Score
0.0004EPSS
The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords.
6.6AI Score
0.0005EPSS
StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.
6.7AI Score
0.008EPSS
Buffer overflow in StarOffice StarScheduler web server allows remote attackers to gain root access via a long GET command.
7.6AI Score
0.004EPSS
The lit program in Sun Flex License Manager (FlexLM) follows symlinks, which allows local users to modify arbitrary files.
6.8AI Score
0.0004EPSS
The default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file.
6.9AI Score
0.006EPSS
Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document.
7.1AI Score
0.0005EPSS
Buffer overflow in Solaris 7 lp allows local users to gain root privileges via a long -d option.
6.8AI Score
0.0004EPSS
Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.
7.2AI Score
0.0004EPSS
Qpopper 2.53 and 3.0 does not properly identify the \n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 1023 characters long and ends in \n.
6.6AI Score
0.003EPSS
Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter.
7.2AI Score
0.0004EPSS
Buffer overflow in Solaris netpr program allows local users to execute arbitrary commands via a long -p option.
7.7AI Score
0.0004EPSS
Cobalt RaQ2 and RaQ3 does not properly set the access permissions and ownership for files that are uploaded via FrontPage, which allows attackers to bypass cgiwrap and modify files.
6.6AI Score
0.036EPSS
Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command.
6.4AI Score
0.005EPSS
Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname.
6.8AI Score
0.001EPSS
The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet.
7.9AI Score
0.003EPSS
The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script.
7.1AI Score
0.035EPSS
The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters.
7AI Score
0.006EPSS
The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag.
8.2AI Score
0.004EPSS
Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen.
7.7AI Score
0.005EPSS
Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.
7.4AI Score
0.0005EPSS
HotJava Browser 3.0 allows remote attackers to access the DOM of a web page by opening a javascript: URL in a named window.
7AI Score
0.007EPSS
Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the Agent, End Entity, or Administrator services.
6.6AI Score
0.008EPSS
Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server.
7.5AI Score
0.006EPSS
Java Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and earlier can allow an untrusted Java class to call into a disallowed class, which could allow an attacker to escape the Java sandbox and conduct unauthorized activities.
6.9AI Score
0.006EPSS
StarOffice 5.2 follows symlinks and sets world-readable permissions for the /tmp/soffice.tmp directory, which allows a local user to read files of the user who is using StarOffice.
6.7AI Score
0.0004EPSS
patchadd in Solaris allows local users to overwrite arbitrary files via a symlink attack.
6.7AI Score
0.0004EPSS
The clustmon service in Sun Cluster 2.x does not require authentication, which allows remote attackers to obtain sensitive information such as system logs and cluster configurations.
6.6AI Score
0.005EPSS
in.mond in Sun Cluster 2.x allows local users to read arbitrary files via a symlink attack on the status file of a host running HA-NFS.
6.6AI Score
0.0004EPSS
catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file.
6.3AI Score
0.0004EPSS
Buffer overflow in arp command in Solaris 7 and earlier allows local users to execute arbitrary commands via a long -f parameter.
7.8AI Score
0.0004EPSS
Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allows local users to gain privileges via a long command line argument.
7.4AI Score
0.0004EPSS
Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument.
7.2AI Score
0.0004EPSS
Buffer overflow in /usr/bin/cu in Solaris 2.8 and earlier, and possibly other operating systems, allows local users to gain privileges by executing cu with a long program name (arg0).
6.9AI Score
0.0004EPSS
Chili!Soft ASP for Linux before 3.6 does not properly set group privileges when running in inherited mode, which could allow attackers to gain privileges via malicious scripts.
7.2AI Score
0.0004EPSS
Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.
7.5AI Score
0.78EPSS
pam_ldap authentication module in Solaris 8 allows remote attackers to bypass authentication via a NULL password.
7.3AI Score
0.005EPSS
Directory traversal vulnerability in SunFTP build 9 allows remote attackers to read arbitrary files via .. (dot dot) characters in various commands, including (1) GET, (2) MKDIR, (3) RMDIR, (4) RENAME, or (5) PUT.
6.8AI Score
0.006EPSS
Buffer overflow in the line printer daemon (in.lpd) for Solaris 8 and earlier allows local and remote attackers to gain root privileges via a "transfer job" routine.
7AI Score
0.006EPSS
Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.
7.7AI Score
0.0004EPSS