CVE-2005-2758

CWE-200 — Information Exposure CWE-22 — Path Traversal6 documents5 sources

Severity

10.0CRITICAL

EPSS

24.0%

top 3.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symantec Antivirus Scan Engine Symantec Antivirus Scan Engine FOR Network Attached Storage

Timeline

PublishedOct 5

Latest updateMay 1

Description

Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4.0 and 4.3 allows remote attackers to execute arbitrary code via crafted HTTP headers with negative values, which lead to a heap-based buffer overflow.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages1 packages

▶NVDsymantec/antivirus_scan_engine4.0, 4.3+1

Patches

Patch: www.idefense.com ↗Patch: www.symantec.com ↗Patch: www.idefense.com ↗

🔴Vulnerability Details

GHSA

GHSA-7pc3-f52v-pph8: Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4↗2022-05-01

▶

GHSA

Mortbay Jetty Discloses JSP Source Code↗2022-05-01

▶

GHSA

Jetty Directory Traversal Vulnerability↗2022-05-01

▶

CVEList

CVE-2005-2758: Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4↗2005-10-05

▶

📋Vendor Advisories

Red Hat

jetty: Jetty URL encoded format directory traversal↗2005-11-18

▶