CVE-2003-0977
published 2004-01-05CVE-2003-0977: CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module…
PriorityP426high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
2.29%
81.1th percentile
CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | >= 0 < 1:1.11.10 | 1:1.11.10 |
| cvs | cvs | >= 0 < 1:1.11.10 | 1:1.11.10 |
| cvs | cvs | >= 0 < 1:1.11.10 | 1:1.11.10 |
| cvs | cvs | >= 0 < 1:1.11.10 | 1:1.11.10 |
| debian | cvs | < cvs 1:1.11.10 (bookworm) | cvs 1:1.11.10 (bookworm) |
| slackware | slackware_linux | — | — |
| slackware | slackware_linux | — | — |
| slackware | slackware_linux | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2003-12-17·CVSS 7.5
CVE-2003-0977 [HIGH] security flaw
security flaw
CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
Debian
CVE-2003-0977: cvs - CVS server before 1.11.10 may allow attackers to cause the CVS server to create ...
vendor_debian·2003·CVSS 7.5
CVE-2003-0977 [HIGH] CVE-2003-0977: cvs - CVS server before 1.11.10 may allow attackers to cause the CVS server to create ...
CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
Scope: local
bookworm: resolved (fixed in 1:1.11.10)
bullseye: resolved (fixed in 1:1.11.10)
forky: resolved (fixed in 1:1.11.10)
sid: resolved (fixed in 1:1.11.10)
trixie: resolved (fixed in 1:1.11.10)
GHSA
GHSA-4jrq-7cgx-qq88: CVS server before 1
ghsa_unreviewed·2022-05-03
CVE-2003-0977 [HIGH] GHSA-4jrq-7cgx-qq88: CVS server before 1
CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
OSV
CVE-2003-0977: CVS server before 1
osv·2004-01-05·CVSS 7.5
CVE-2003-0977 [HIGH] CVE-2003-0977: CVS server before 1
CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
Suricata
GPL MISC CVS non-relative path error response
suricata·2010-09-23
CVE-2003-0977 GPL MISC CVS non-relative path error response
GPL MISC CVS non-relative path error response
Rule: alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:established,to_client; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:6; metadata:created_at 2010_09_23, cve CVE_2003_0977, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
No public exploits indexed.
Bugzilla
CVE-2003-0977 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2003-0977 [HIGH] CVE-2003-0977 security flaw
CVE-2003-0977 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
Bugzilla
CAN-2003-0977 fix pushed for RH9, but not FC1
bugzilla·2004-03-20
[MEDIUM] CAN-2003-0977 fix pushed for RH9, but not FC1
CAN-2003-0977 fix pushed for RH9, but not FC1
Description of problem:
CAN-2003-0977 fix pushed for RH9, but not FC1
Version-Release number of selected component (if applicable):
cvs-1.11.5-3
Additional info:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111221#c5
https://rhn.redhat.com/errata/RHSA-2004-003.html
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
Discussion:
A rebuild from cvs-1.11.11-1 (or higher) from Fedora Development
at Fedora Core 1 solves the problem, so maybe one of the Red Hat
maintainers could do that? Would be very nice :)
BTW: Maybe the kerberos 4 support has to be disabled.
---
Maybe that issue is fixed soon by one of
ftp://patches.sgi.com/support/free/security/advisories/20040103-01-U.ascftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.aschttp://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000808http://marc.info/?l=bugtraq&m=107168035515554&w=2http://marc.info/?l=bugtraq&m=107540163908129&w=2http://secunia.com/advisories/10601http://www.debian.org/security/2004/dsa-422http://www.mandriva.com/security/advisories?name=MDKSA-2003:112http://www.redhat.com/support/errata/RHSA-2004-003.htmlhttp://www.redhat.com/support/errata/RHSA-2004-004.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/13929https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11528https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A855https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A866ftp://patches.sgi.com/support/free/security/advisories/20040103-01-U.ascftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.aschttp://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000808http://marc.info/?l=bugtraq&m=107168035515554&w=2http://marc.info/?l=bugtraq&m=107540163908129&w=2http://secunia.com/advisories/10601http://www.debian.org/security/2004/dsa-422http://www.mandriva.com/security/advisories?name=MDKSA-2003:112http://www.redhat.com/support/errata/RHSA-2004-003.htmlhttp://www.redhat.com/support/errata/RHSA-2004-004.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/13929https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11528https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A855https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A866
2004-01-05
Published