Vulnerabilities > CVE-2004-0405 - Unspecified vulnerability in CVS
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-153.NASL description Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. [Updated Apr 19 2004] The description text has been updated to include CVE-2004-0405 which was also fixed but not mentioned when this advisory was first released. There has been no change to the packages associated with this advisory. CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing last seen 2020-06-01 modified 2020-06-02 plugin id 12484 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12484 title RHEL 2.1 / 3 : cvs (RHSA-2004:153) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:153. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12484); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0180", "CVE-2004-0405"); script_xref(name:"RHSA", value:"2004:153"); script_name(english:"RHEL 2.1 / 3 : cvs (RHSA-2004:153)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. [Updated Apr 19 2004] The description text has been updated to include CVE-2004-0405 which was also fixed but not mentioned when this advisory was first released. There has been no change to the packages associated with this advisory. CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing '../'. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0405 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0180" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0405" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:153" ); script_set_attribute(attribute:"solution", value:"Update the affected cvs package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cvs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/01"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:153"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"cvs-1.11.1p1-12")) flag++; if (rpm_check(release:"RHEL3", reference:"cvs-1.11.2-18")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cvs"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-486.NASL description Two vulnerabilities have been discovered and fixed in CVS : - CAN-2004-0180 Sebastian Krahmer discovered a vulnerability whereby a malicious CVS pserver could create arbitrary files on the client system during an update or checkout operation, by supplying absolute pathnames in RCS diffs. - CAN-2004-0405 Derek Robert Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing last seen 2020-06-01 modified 2020-06-02 plugin id 15323 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15323 title Debian DSA-486-1 : cvs - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-486. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15323); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0180", "CVE-2004-0405"); script_bugtraq_id(10138, 10140); script_xref(name:"DSA", value:"486"); script_name(english:"Debian DSA-486-1 : cvs - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities have been discovered and fixed in CVS : - CAN-2004-0180 Sebastian Krahmer discovered a vulnerability whereby a malicious CVS pserver could create arbitrary files on the client system during an update or checkout operation, by supplying absolute pathnames in RCS diffs. - CAN-2004-0405 Derek Robert Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing '../'." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-486" ); script_set_attribute( attribute:"solution", value: "For the current stable distribution (woody) these problems have been fixed in version 1.11.1p1debian-9woody2. We recommend that you update your cvs package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cvs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"cvs", reference:"1.11.1p1debian-9woody2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200404-13.NASL description The remote host is affected by the vulnerability described in GLSA-200404-13 (CVS Server and Client Vulnerabilities) There are two vulnerabilities in CVS; one in the server and one in the client. The server vulnerability allows a malicious client to request the contents of any RCS file to which the server has permission, even those not located under $CVSROOT. The client vulnerability allows a malicious server to overwrite files on the client machine anywhere the client has permissions. Impact : Arbitrary files may be read or written on CVS clients and servers by anybody with access to the CVS tree. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest stable version of CVS. last seen 2020-06-01 modified 2020-06-02 plugin id 14478 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14478 title GLSA-200404-13 : CVS Server and Client Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0792E7A78E3711D890D10020ED76EF5A.NASL description Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../ last seen 2020-06-01 modified 2020-06-02 plugin id 36645 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36645 title FreeBSD : CVS path validation errors (0792e7a7-8e37-11d8-90d1-0020ed76ef5a) NASL family FreeBSD Local Security Checks NASL id FREEBSD_CVS_PATH_VALIDATION.NASL description The following package needs to be updated: cvs+ipv6 last seen 2016-09-26 modified 2004-07-06 plugin id 12531 published 2004-07-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=12531 title FreeBSD : CVS path validation errors (32) NASL family Misc. NASL id CVS_PIPED_CO.NASL description According to its version number, the remote CVS server has a directory directory traversal vulnerability. This could allow a malicious client to read files outside of the CVS root. last seen 2020-06-01 modified 2020-06-02 plugin id 12212 published 2004-04-16 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12212 title CVS Client Traversal Arbitrary File Retrieval NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-108-02.NASL description CVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory affects both uses of CVS. A security problem which could allow a server to create arbitrary files on a client machine, and another security problem which may allow a client to view files outside of the CVS repository have been fixed with the release of cvs-1.11.15. Any sites running CVS should upgrade to the new CVS package. last seen 2020-06-01 modified 2020-06-02 plugin id 18765 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18765 title Slackware 8.1 / 9.0 / 9.1 / current : cvs security update (SSA:2004-108-02)
Oval
accepted 2007-04-25T19:52:13.247-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Thomas R. Jones organization Maitreya Security
description CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. family unix id oval:org.mitre.oval:def:1060 status accepted submitted 2004-05-10T12:00:00.000-04:00 title Directory Traversal Vulnerability in CVS Server version 38 accepted 2013-04-29T04:09:03.276-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651
description CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. family unix id oval:org.mitre.oval:def:10818 status accepted submitted 2010-07-09T03:56:16-04:00 title CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. version 26
Redhat
| rpms |
|
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc
- ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc
- http://marc.info/?l=bugtraq&m=108636445031613&w=2
- http://security.gentoo.org/glsa/glsa-200404-13.xml
- http://www.debian.org/security/2004/dsa-486
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.400181
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15891
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1060
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10818