Lucene search

MitreCVE-2002-1138

HistorySep 01, 2004 - 4:00 a.m.

CVE-2002-1138

2004-09-0104:00:00

mitre

web.nvd.nist.gov

microsoft sql server

privilege escalation

vulnerability

cve-2002-1138

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.1

Confidence

Low

EPSS

0.023

Percentile

89.6%

JSON

Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka “Flaw in Output File Handling for Scheduled Jobs.”

Affected configurations

Nvd

Node

microsoftdata_engineMatch1.0

microsoftdata_engineMatch2000

microsoftsql_serverMatch7.0

microsoftsql_serverMatch7.0sp1

microsoftsql_serverMatch7.0sp2

microsoftsql_serverMatch7.0sp3

microsoftsql_serverMatch7.0sp4

microsoftsql_serverMatch2000

microsoftsql_serverMatch2000sp1

microsoftsql_serverMatch2000sp2

VendorProductVersionCPE
microsoftdata_engine1.0cpe:2.3:a:microsoft:data_engine:1.0:*:*:*:*:*:*:*
microsoftdata_engine2000cpe:2.3:a:microsoft:data_engine:2000:*:*:*:*:*:*:*
microsoftsql_server7.0cpe:2.3:a:microsoft:sql_server:7.0:*:*:*:*:*:*:*
microsoftsql_server7.0cpe:2.3:a:microsoft:sql_server:7.0:sp1:*:*:*:*:*:*
microsoftsql_server7.0cpe:2.3:a:microsoft:sql_server:7.0:sp2:*:*:*:*:*:*
microsoftsql_server7.0cpe:2.3:a:microsoft:sql_server:7.0:sp3:*:*:*:*:*:*
microsoftsql_server7.0cpe:2.3:a:microsoft:sql_server:7.0:sp4:*:*:*:*:*:*
microsoftsql_server2000cpe:2.3:a:microsoft:sql_server:2000:*:*:*:*:*:*:*
microsoftsql_server2000cpe:2.3:a:microsoft:sql_server:2000:sp1:*:*:*:*:*:*
microsoftsql_server2000cpe:2.3:a:microsoft:sql_server:2000:sp2:*:*:*:*:*:*

Vendor	Product	Version	CPE
microsoft	data_engine	1.0	cpe:2.3:a:microsoft:data_engine:1.0:::::::*
microsoft	data_engine	2000	cpe:2.3:a:microsoft:data_engine:2000:::::::*
microsoft	sql_server	7.0	cpe:2.3:a:microsoft:sql_server:7.0:::::::*
microsoft	sql_server	7.0	cpe:2.3:a:microsoft:sql_server:7.0:sp1::::::
microsoft	sql_server	7.0	cpe:2.3:a:microsoft:sql_server:7.0:sp2::::::
microsoft	sql_server	7.0	cpe:2.3:a:microsoft:sql_server:7.0:sp3::::::
microsoft	sql_server	7.0	cpe:2.3:a:microsoft:sql_server:7.0:sp4::::::
microsoft	sql_server	2000	cpe:2.3:a:microsoft:sql_server:2000:::::::*
microsoft	sql_server	2000	cpe:2.3:a:microsoft:sql_server:2000:sp1::::::
microsoft	sql_server	2000	cpe:2.3:a:microsoft:sql_server:2000:sp2::::::

References

www.ciac.org/ciac/bulletins/n-003.shtml

www.iss.net/security_center/static/10257.php

docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-056

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.1

Confidence

Low

EPSS

0.023

Percentile

89.6%

JSON

Related for CVE-2002-1138