CVE-2004-0884

7 documents7 sources
Severity
7.2HIGH
EPSS
0.1%
top 81.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Conectiva LinuxCyrus Sasl
Timeline
PublishedJan 27
Latest updateApr 29

Description

The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages3 packages

Debiancyrus-sasl2< 2.1.19-1.3+3
NVDcyrus/sasl14 versions+13
NVDconectiva/linux10.0, 9.0+1

Patches

Patch: www.debian.orgPatch: www.securityfocus.comPatch: www.debian.org

🔴Vulnerability Details

3
GHSA
GHSA-pggp-j979-w3jj: The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 22022-04-29
OSV
CVE-2004-0884: The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 22005-01-27
CVEList
CVE-2004-0884: The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 22004-10-21

📋Vendor Advisories

2
Red Hat
security flaw2004-10-07
Debian
CVE-2004-0884: cyrus-sasl2 - The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trus...2004

💬Community

1
Bugzilla
CVE-2004-0884 security flaw2018-08-16
CVE-2004-0884 (HIGH CVSS 7.2) | The (1) libsasl and (2) libsasl2 li | cvebase.io