Vulnerabilities > CVE-2004-0180 - Unspecified vulnerability in CVS
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-153.NASL description Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. [Updated Apr 19 2004] The description text has been updated to include CVE-2004-0405 which was also fixed but not mentioned when this advisory was first released. There has been no change to the packages associated with this advisory. CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing last seen 2020-06-01 modified 2020-06-02 plugin id 12484 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12484 title RHEL 2.1 / 3 : cvs (RHSA-2004:153) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:153. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12484); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0180", "CVE-2004-0405"); script_xref(name:"RHSA", value:"2004:153"); script_name(english:"RHEL 2.1 / 3 : cvs (RHSA-2004:153)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. [Updated Apr 19 2004] The description text has been updated to include CVE-2004-0405 which was also fixed but not mentioned when this advisory was first released. There has been no change to the packages associated with this advisory. CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing '../'. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0405 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0180" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0405" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:153" ); script_set_attribute(attribute:"solution", value:"Update the affected cvs package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cvs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/01"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:153"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"cvs-1.11.1p1-12")) flag++; if (rpm_check(release:"RHEL3", reference:"cvs-1.11.2-18")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cvs"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-486.NASL description Two vulnerabilities have been discovered and fixed in CVS : - CAN-2004-0180 Sebastian Krahmer discovered a vulnerability whereby a malicious CVS pserver could create arbitrary files on the client system during an update or checkout operation, by supplying absolute pathnames in RCS diffs. - CAN-2004-0405 Derek Robert Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing last seen 2020-06-01 modified 2020-06-02 plugin id 15323 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15323 title Debian DSA-486-1 : cvs - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-486. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15323); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0180", "CVE-2004-0405"); script_bugtraq_id(10138, 10140); script_xref(name:"DSA", value:"486"); script_name(english:"Debian DSA-486-1 : cvs - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities have been discovered and fixed in CVS : - CAN-2004-0180 Sebastian Krahmer discovered a vulnerability whereby a malicious CVS pserver could create arbitrary files on the client system during an update or checkout operation, by supplying absolute pathnames in RCS diffs. - CAN-2004-0405 Derek Robert Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing '../'." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-486" ); script_set_attribute( attribute:"solution", value: "For the current stable distribution (woody) these problems have been fixed in version 1.11.1p1debian-9woody2. We recommend that you update your cvs package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cvs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"cvs", reference:"1.11.1p1debian-9woody2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200404-13.NASL description The remote host is affected by the vulnerability described in GLSA-200404-13 (CVS Server and Client Vulnerabilities) There are two vulnerabilities in CVS; one in the server and one in the client. The server vulnerability allows a malicious client to request the contents of any RCS file to which the server has permission, even those not located under $CVSROOT. The client vulnerability allows a malicious server to overwrite files on the client machine anywhere the client has permissions. Impact : Arbitrary files may be read or written on CVS clients and servers by anybody with access to the CVS tree. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest stable version of CVS. last seen 2020-06-01 modified 2020-06-02 plugin id 14478 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14478 title GLSA-200404-13 : CVS Server and Client Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0792E7A78E3711D890D10020ED76EF5A.NASL description Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../ last seen 2020-06-01 modified 2020-06-02 plugin id 36645 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36645 title FreeBSD : CVS path validation errors (0792e7a7-8e37-11d8-90d1-0020ed76ef5a) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-028.NASL description Sebastian Krahmer from the SUSE security team discovered a remotely exploitable vulnerability in the CVS client. When doing a cvs checkout or update over a network, the client accepts absolute pathnames in the RCS diff files. A maliciously configured server could then create any file with content on the local user last seen 2020-06-01 modified 2020-06-02 plugin id 14127 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14127 title Mandrake Linux Security Advisory : cvs (MDKSA-2004:028) NASL family FreeBSD Local Security Checks NASL id FREEBSD_CVS_PATH_VALIDATION.NASL description The following package needs to be updated: cvs+ipv6 last seen 2016-09-26 modified 2004-07-06 plugin id 12531 published 2004-07-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=12531 title FreeBSD : CVS path validation errors (32) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-108-02.NASL description CVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory affects both uses of CVS. A security problem which could allow a server to create arbitrary files on a client machine, and another security problem which may allow a client to view files outside of the CVS repository have been fixed with the release of cvs-1.11.15. Any sites running CVS should upgrade to the new CVS package. last seen 2020-06-01 modified 2020-06-02 plugin id 18765 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18765 title Slackware 8.1 / 9.0 / 9.1 / current : cvs security update (SSA:2004-108-02)
Oval
accepted 2007-04-25T19:52:12.726-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Thomas R. Jones organization Maitreya Security
description The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. family unix id oval:org.mitre.oval:def:1042 status accepted submitted 2004-05-10T12:00:00.000-04:00 title Malicious CVS Server RCS diff File Vulnerability in CVS Client version 38 accepted 2013-04-29T04:19:34.954-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651
description The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. family unix id oval:org.mitre.oval:def:9462 status accepted submitted 2010-07-09T03:56:16-04:00 title The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. version 26
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc
- ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch
- ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc
- http://marc.info/?l=bugtraq&m=108636445031613&w=2
- http://secunia.com/advisories/11368
- http://secunia.com/advisories/11371
- http://secunia.com/advisories/11374
- http://secunia.com/advisories/11375
- http://secunia.com/advisories/11377
- http://secunia.com/advisories/11380
- http://secunia.com/advisories/11391
- http://secunia.com/advisories/11400
- http://secunia.com/advisories/11405
- http://secunia.com/advisories/11548
- http://security.gentoo.org/glsa/glsa-200404-13.xml
- http://www.debian.org/security/2004/dsa-486
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:028
- http://www.redhat.com/support/errata/RHSA-2004-153.html
- http://www.redhat.com/support/errata/RHSA-2004-154.html
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.400181
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15864
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1042
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9462