CVE-2010-2540
published 2010-08-02CVE-2010-2540: mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for…
PriorityP344critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
3.83%
88.8th percentile
mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mapserver | < mapserver 5.6.4-1 (bookworm) | mapserver 5.6.4-1 (bookworm) |
| osgeo | mapserver | <= 4.10.5 | — |
| osgeo | mapserver | <= 5.6.3 | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | — | — |
| osgeo | mapserver | >= 0 < 5.6.4-1 | 5.6.4-1 |
| osgeo | mapserver | >= 0 < 5.6.4-1 | 5.6.4-1 |
| osgeo | mapserver | >= 0 < 5.6.4-1 | 5.6.4-1 |
| osgeo | mapserver | >= 0 < 5.6.4-1 | 5.6.4-1 |
| umn | mapserver | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2010-2540: mapserver - mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not pr...
vendor_debian·2010·CVSS 10.0
CVE-2010-2540 [CRITICAL] CVE-2010-2540: mapserver - mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not pr...
mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.
Scope: local
bookworm: resolved (fixed in 5.6.4-1)
bullseye: resolved (fixed in 5.6.4-1)
forky: resolved (fixed in 5.6.4-1)
sid: resolved (fixed in 5.6.4-1)
trixie: resolved (fixed in 5.6.4-1)
GHSA
GHSA-rvf8-gfc4-3j6f: mapserv
ghsa_unreviewed·2022-05-13
CVE-2010-2540 [HIGH] GHSA-rvf8-gfc4-3j6f: mapserv
mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.
OSV
CVE-2010-2540: mapserv
osv·2010-08-02·CVSS 10.0
CVE-2010-2540 [CRITICAL] CVE-2010-2540: mapserv
mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-2540 MapServer: Disable insecure mapserv CGI command-line debug args (Trac#3485)
bugzilla·2010-07-22·CVSS 10.0
CVE-2010-2540 [CRITICAL] CVE-2010-2540 MapServer: Disable insecure mapserv CGI command-line debug args (Trac#3485)
CVE-2010-2540 MapServer: Disable insecure mapserv CGI command-line debug args (Trac#3485)
MapServer upstream during security audit of MapServer v5.6 identified that
some of the mapserv CGI command-line debug arguments constitute a security
risk that could potentially be exploited. These arguments should be used
only by developers that use those command-line arguments to debug and test
the software.
References:
[1] http://trac.osgeo.org/mapserver/ticket/3485
Upstream patch (against 5-4 SVN branch):
[2] http://trac.osgeo.org/mapserver/changeset/10314
Upstream patch (against trunk):
[3] http://trac.osgeo.org/mapserver/changeset/10319
Discussion:
This issue affects the versions of the mapserver package, as shipped
with Fedora release of 12 and 13.
Please fix.
---
Created mapserver tra
Bugzilla
CVE-2010-2539 CVE-2010-2540 mapserver various flaws [fedora-all]
bugzilla·2010-07-22·CVSS 2.1
CVE-2010-2539 [LOW] CVE-2010-2539 CVE-2010-2540 mapserver various flaws [fedora-all]
CVE-2010-2539 CVE-2010-2540 mapserver various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
Forr more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=617312
Please note: this issue affects multiple supporte
http://lists.osgeo.org/pipermail/mapserver-users/2010-July/066052.htmlhttp://marc.info/?l=oss-security&m=127973381215859&w=2http://marc.info/?l=oss-security&m=127973754121922&w=2http://trac.osgeo.org/mapserver/ticket/3485http://www.securityfocus.com/bid/41855https://exchange.xforce.ibmcloud.com/vulnerabilities/60852http://lists.osgeo.org/pipermail/mapserver-users/2010-July/066052.htmlhttp://marc.info/?l=oss-security&m=127973381215859&w=2http://marc.info/?l=oss-security&m=127973754121922&w=2http://trac.osgeo.org/mapserver/ticket/3485http://www.securityfocus.com/bid/41855https://exchange.xforce.ibmcloud.com/vulnerabilities/60852
2010-08-02
Published