Weekly Vulnerabilities Reports > February 25 to March 3, 2002

Overview

7 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 15 products from 14 vendors including Debian, Redhat, GNU, Suse, and Oracle. Vulnerabilities are notably categorized as .

  • 4 reported vulnerabilities are remotely exploitables.
  • 7 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 1 reported vulnerabilities.
  • Andrew Tridgell has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-02-27 CVE-2002-0048 Andrew Tridgell Remote Code Execution vulnerability in rsync Signed Array Index

Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.

10.0

4 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-02-27 CVE-2002-0028 Mirabilis Remote Buffer Overflow vulnerability in Mirabilis ICQ

Buffer overflow in ICQ before 2001B Beta v5.18 Build #3659 allows remote attackers to execute arbitrary code via a Voice Video & Games request.

7.5
2002-02-27 CVE-2002-0003 GNU Buffer Overflow vulnerability in Groff Pre-Processor

Buffer overflow in the preprocessor in groff 1.16 and earlier allows remote attackers to gain privileges via lpd in the LPRng printing system.

7.5
2002-02-27 CVE-2002-0001 Mutt Buffer Overflow vulnerability in Mutt Address Handling

Vulnerability in RFC822 address parser in mutt before 1.2.5.1 and mutt 1.3.x before 1.3.25 allows remote attackers to execute arbitrary commands via an improperly terminated comment or phrase in the address list.

7.5
2002-02-27 CVE-2002-0004 Caldera
Debian
Freebsd
Mandrakesoft
Netbsd
Redhat
Slackware
Suse
Heap Overflow vulnerability in AT Maliciously Formatted Time

Heap corruption vulnerability in the "at" program allows local users to execute arbitrary code via a malformed execution time, which causes at to free the same memory twice.

7.2

2 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-02-26 CVE-2002-1637 Oracle Local Security vulnerability in Oracle 9i Application Server

Multiple components in Oracle 9i Application Server (9iAS) are installed with over 160 default usernames and passwords, including (1) SYS, (2) SYSTEM, (3) AQJAVA, (4) OWA, (5) IMAGEUSER, (6) USER1, (7) USER2, (8) PLSQL, (9) DEMO, (10) FINANCE, and many others, which allows attackers to gain privileges.

4.6
2002-02-26 CVE-2001-1465 Surfcontrol Local Security vulnerability in SurfControl SuperScout

SurfControl SuperScout only filters packets containing both an HTTP GET request and a Host header, which allows local users to bypass filtering by fragmenting packets so that no packet contains both data elements.

4.6

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS