CVE-2003-1033

3 documents3 sources

Severity

7.2HIGH

EPSS

0.0%

top 89.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SAP DB

Timeline

PublishedApr 15

Latest updateApr 29

Description

The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages1 packages

▶NVDsap/sap_db7.3.00, 7.4+1

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-r6qc-f493-x3mg: The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7↗2022-04-29

▶

CVEList

CVE-2003-1033: The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7↗2004-03-16

▶