Lucene search

MitreCVE-2003-1033

HistoryApr 15, 2004 - 4:00 a.m.

CVE-2003-1033

2004-04-1504:00:00

mitre

web.nvd.nist.gov

cve-2003-1033

sap

development tools

instdbmsrv

instlserver

setuid

local users

root privileges

vulnerability

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.

Affected configurations

Nvd

Node

sapsap_dbMatch7.3.00

sapsap_dbMatch7.4

VendorProductVersionCPE
sapsap_db7.3.00cpe:2.3:a:sap:sap_db:7.3.00:*:*:*:*:*:*:*
sapsap_db7.4cpe:2.3:a:sap:sap_db:7.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	sap_db	7.3.00	cpe:2.3:a:sap:sap_db:7.3.00:::::::*
sap	sap_db	7.4	cpe:2.3:a:sap:sap_db:7.4:::::::*

References

listserv.sap.com/pipermail/sapdb.sources/2003-April/000143.html

marc.info/?l=bugtraq&m=105103613727471&w=2

www.securityfocus.com/bid/7407

www.securityfocus.com/bid/7408

exchange.xforce.ibmcloud.com/vulnerabilities/11842

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2003-1033