Vulnerabilities > CVE-2004-0180 - Unspecified vulnerability in CVS

047910
CVSS 2.6 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
high complexity
cvs
nessus

Summary

The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.

Vulnerable Configurations

Part Description Count
Application
Cvs
1

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-153.NASL
    descriptionUpdated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. [Updated Apr 19 2004] The description text has been updated to include CVE-2004-0405 which was also fixed but not mentioned when this advisory was first released. There has been no change to the packages associated with this advisory. CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing
    last seen2020-06-01
    modified2020-06-02
    plugin id12484
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12484
    titleRHEL 2.1 / 3 : cvs (RHSA-2004:153)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:153. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12484);
      script_version ("1.25");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-0180", "CVE-2004-0405");
      script_xref(name:"RHSA", value:"2004:153");
    
      script_name(english:"RHEL 2.1 / 3 : cvs (RHSA-2004:153)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated cvs packages that fix a client vulnerability that could be
    exploited by a malicious server are now available.
    
    [Updated Apr 19 2004] The description text has been updated to include
    CVE-2004-0405 which was also fixed but not mentioned when this
    advisory was first released. There has been no change to the packages
    associated with this advisory.
    
    CVS is a version control system frequently used to manage source code
    repositories.
    
    Sebastian Krahmer discovered a flaw in CVS clients where rcs diff
    files can create files with absolute pathnames. An attacker could
    create a fake malicious CVS server that would cause arbitrary files to
    be created or overwritten when a victim connects to it. The Common
    Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
    name CVE-2004-0180 to this issue.
    
    Derek Price discovered a vulnerability whereby a CVS pserver could be
    abused by a malicious client to view the contents of certain files
    outside of the CVS root directory using relative pathnames containing
    '../'. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-0405 to this issue.
    
    Users of CVS are advised to upgrade to these erratum packages, which
    contain a patch correcting this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0180"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:153"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cvs package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cvs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:153";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"cvs-1.11.1p1-12")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"cvs-1.11.2-18")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cvs");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-486.NASL
    descriptionTwo vulnerabilities have been discovered and fixed in CVS : - CAN-2004-0180 Sebastian Krahmer discovered a vulnerability whereby a malicious CVS pserver could create arbitrary files on the client system during an update or checkout operation, by supplying absolute pathnames in RCS diffs. - CAN-2004-0405 Derek Robert Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing
    last seen2020-06-01
    modified2020-06-02
    plugin id15323
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15323
    titleDebian DSA-486-1 : cvs - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-486. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15323);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2004-0180", "CVE-2004-0405");
      script_bugtraq_id(10138, 10140);
      script_xref(name:"DSA", value:"486");
    
      script_name(english:"Debian DSA-486-1 : cvs - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities have been discovered and fixed in CVS :
    
      - CAN-2004-0180
        Sebastian Krahmer discovered a vulnerability whereby a
        malicious CVS pserver could create arbitrary files on
        the client system during an update or checkout
        operation, by supplying absolute pathnames in RCS diffs.
    
      - CAN-2004-0405
    
        Derek Robert Price discovered a vulnerability whereby a
        CVS pserver could be abused by a malicious client to
        view the contents of certain files outside of the CVS
        root directory using relative pathnames containing
        '../'."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-486"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the current stable distribution (woody) these problems have been
    fixed in version 1.11.1p1debian-9woody2.
    
    We recommend that you update your cvs package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cvs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"cvs", reference:"1.11.1p1debian-9woody2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200404-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200404-13 (CVS Server and Client Vulnerabilities) There are two vulnerabilities in CVS; one in the server and one in the client. The server vulnerability allows a malicious client to request the contents of any RCS file to which the server has permission, even those not located under $CVSROOT. The client vulnerability allows a malicious server to overwrite files on the client machine anywhere the client has permissions. Impact : Arbitrary files may be read or written on CVS clients and servers by anybody with access to the CVS tree. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest stable version of CVS.
    last seen2020-06-01
    modified2020-06-02
    plugin id14478
    published2004-08-30
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14478
    titleGLSA-200404-13 : CVS Server and Client Vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_0792E7A78E3711D890D10020ED76EF5A.NASL
    descriptionTwo programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../
    last seen2020-06-01
    modified2020-06-02
    plugin id36645
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36645
    titleFreeBSD : CVS path validation errors (0792e7a7-8e37-11d8-90d1-0020ed76ef5a)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-028.NASL
    descriptionSebastian Krahmer from the SUSE security team discovered a remotely exploitable vulnerability in the CVS client. When doing a cvs checkout or update over a network, the client accepts absolute pathnames in the RCS diff files. A maliciously configured server could then create any file with content on the local user
    last seen2020-06-01
    modified2020-06-02
    plugin id14127
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14127
    titleMandrake Linux Security Advisory : cvs (MDKSA-2004:028)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_CVS_PATH_VALIDATION.NASL
    descriptionThe following package needs to be updated: cvs+ipv6
    last seen2016-09-26
    modified2004-07-06
    plugin id12531
    published2004-07-06
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=12531
    titleFreeBSD : CVS path validation errors (32)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2004-108-02.NASL
    descriptionCVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory affects both uses of CVS. A security problem which could allow a server to create arbitrary files on a client machine, and another security problem which may allow a client to view files outside of the CVS repository have been fixed with the release of cvs-1.11.15. Any sites running CVS should upgrade to the new CVS package.
    last seen2020-06-01
    modified2020-06-02
    plugin id18765
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18765
    titleSlackware 8.1 / 9.0 / 9.1 / current : cvs security update (SSA:2004-108-02)

Oval

  • accepted2007-04-25T19:52:12.726-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionThe client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.
    familyunix
    idoval:org.mitre.oval:def:1042
    statusaccepted
    submitted2004-05-10T12:00:00.000-04:00
    titleMalicious CVS Server RCS diff File Vulnerability in CVS Client
    version38
  • accepted2013-04-29T04:19:34.954-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    descriptionThe client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.
    familyunix
    idoval:org.mitre.oval:def:9462
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleThe client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.
    version26

Redhat

advisories
  • rhsa
    idRHSA-2004:153
  • rhsa
    idRHSA-2004:154
rpms
  • cvs-0:1.11.2-18
  • cvs-debuginfo-0:1.11.2-18