CVE-2003-0124 - Unspecified vulnerability in Andries Brouwer MAN

Publication: 2003-03-18

man before 1.5l allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call if it is in the search path of the user who runs man.

Risk level (CVSS 4.6)



Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High


  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

  • Andries Brouwer MAN 1.5h1
  • Andries Brouwer MAN 1.5i
  • Andries Brouwer MAN 1.5i2
  • Andries Brouwer MAN 1.5j
  • Andries Brouwer MAN 1.5k