Weekly Vulnerabilities Reports > September 27 to October 3, 2004
Overview
31 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 52 products from 22 vendors including IBM, Debian, Trolltech, Clearswift, and Sygate Technologies. Vulnerabilities are notably categorized as "NULL Pointer Dereference", "Link Following", and "Double Free".
- 22 reported vulnerabilities are remotely exploitables.
- 30 reported vulnerabilities are exploitable by an anonymous user.
- IBM has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
2 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-09-28 | CVE-2004-0745 | Tsugio Okamoto | Unspecified vulnerability in Tsugio Okamoto LHA LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name. | 10.0 |
| 2004-09-28 | CVE-2004-0200 | Microsoft | Unspecified vulnerability in Microsoft products Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. | 9.3 |
16 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-09-28 | CVE-2004-0699 | Checkpoint | Buffer Overflow vulnerability in Check Point VPN-1 ASN.1 Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. | 7.5 |
| 2004-09-28 | CVE-2004-0691 | Trolltech | Unspecified vulnerability in Trolltech QT Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. | 7.5 |
| 2004-09-28 | CVE-2004-0629 | Adobe | Buffer Overflow vulnerability in Adobe Acrobat/Acrobat Reader ActiveX Control URI Request Heap Buffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5.0.5 and Acrobat Reader, and possibly other versions, allows remote attackers to execute arbitrary code via a URI for a PDF file with a null terminator (%00) followed by a long string. | 7.5 |
| 2004-09-28 | CVE-2004-0593 | Sygate Technologies | Unspecified vulnerability in Sygate Technologies Enforcer and Secure Enterprise Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before authentication, which could allow remote attackers to bypass filtering rules. | 7.5 |
| 2004-09-28 | CVE-2004-0573 | Microsoft | Unspecified vulnerability in Microsoft products Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. | 7.5 |
| 2004-09-28 | CVE-2004-0500 | ROB Flynn Gentoo Mandrakesoft | MSN Protocol Buffer Overflow vulnerability in Gaim Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call. | 7.5 |
| 2004-09-28 | CVE-2004-0458 | Nicolas Boullis Debian | NULL Pointer Dereference vulnerability in multiple products mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. | 7.5 |
| 2004-09-28 | CVE-2004-0408 | Michael Bacarella | Remote Buffer Overflow vulnerability in Michael Bacarella IDent2 Daemon Child_Service Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code. | 7.5 |
| 2004-09-28 | CVE-2003-0930 | Clearswift | Unspecified vulnerability in Clearswift Mailsweeper Clearswift MAILsweeper before 4.3.15 does not properly detect filenames in BinHex (HQX) encoded files, which allows remote attackers to bypass intended policy. | 7.5 |
| 2004-09-28 | CVE-2003-0929 | Clearswift | Unspecified vulnerability in Clearswift Mailsweeper Clearswift MAILsweeper before 4.3.15 does not properly detect and filter ZIP 6.0 encoded files, which allows remote attackers to bypass intended policy. | 7.5 |
| 2004-09-28 | CVE-2003-0928 | Clearswift | Unspecified vulnerability in Clearswift Mailsweeper Clearswift MAILsweeper before 4.3.15 does not properly detect and filter RAR 3.20 encoded files, which allows remote attackers to bypass intended policy. | 7.5 |
| 2004-09-28 | CVE-2003-1052 | IBM | Unspecified vulnerability in IBM DB2 and DB2 Universal Database IBM DB2 7.1 and 8.1 allow the bin user to gain root privileges by modifying the shared libraries that are used in setuid root programs. | 7.2 |
| 2004-09-28 | CVE-2003-1051 | IBM | Command-line Format String vulnerability in IBM DB2 9.0 Multiple format string vulnerabilities in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via certain command line arguments to (1) db2start, (2) db2stop, or (3) db2govd. | 7.2 |
| 2004-09-28 | CVE-2003-1050 | IBM | Command-Line Argument Buffer Overflow vulnerability in IBM DB2 Multiple buffer overflows in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via long command line arguments to (1) db2start, (2) db2stop, or (3) db2govd. | 7.2 |
| 2004-09-28 | CVE-2002-1583 | IBM | Buffer Overflow vulnerability in IBM DB2 db2ckpw Buffer overflow in sqllib/security/db2ckpw for IBM DB2 Universal Database 6.0 and 7.0 allows local users to execute arbitrary code via a long username that is read from a file descriptor argument. | 7.2 |
| 2004-09-28 | CVE-2004-0689 | KDE Debian | Link Following vulnerability in multiple products KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. | 7.1 |
12 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-09-30 | CVE-2004-1604 | Cpanel | Remote Security vulnerability in Cpanel 9.9.1R3 cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled. | 5.0 |
| 2004-09-28 | CVE-2004-0693 | Trolltech | Unspecified vulnerability in Trolltech QT The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. | 5.0 |
| 2004-09-28 | CVE-2004-0692 | Trolltech | Unspecified vulnerability in Trolltech QT The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. | 5.0 |
| 2004-09-28 | CVE-2004-0644 | MIT | Denial Of Service vulnerability in MIT Kerberos 5 ASN.1 Decoder The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. | 5.0 |
| 2004-09-28 | CVE-2004-0558 | Easy Software Products | Remote Denial Of Service vulnerability in CUPS UDP Packet The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. | 5.0 |
| 2004-09-28 | CVE-2004-0163 | Sygate Technologies | Unspecified vulnerability in Sygate Technologies Secure Enterprise Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session. | 5.0 |
| 2004-09-28 | CVE-2003-0931 | Sygate Technologies | Unspecified vulnerability in Sygate Technologies Enforcer Sygate Enforcer 4.0 earlier allows remote attackers to cause a denial of service (service hang) by replaying a malformed discovery packet to UDP port 39999. | 5.0 |
| 2004-09-28 | CVE-2003-0105 | Port80 Software | Unspecified vulnerability in Port80 Software Servermask ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Status Message, or (3) Allow HTTP responses, which could tell remote attackers that the web server is an IIS server. | 5.0 |
| 2004-09-28 | CVE-2004-0690 | KDE | Unspecified vulnerability in KDE 3.2.1 The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory. | 4.6 |
| 2004-09-28 | CVE-2004-0643 | MIT Debian Redhat | Double Free vulnerability in multiple products Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code. | 4.6 |
| 2004-09-28 | CVE-2004-0457 | Oracle | Unspecified vulnerability in Oracle Mysql The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files. | 4.6 |
| 2004-09-28 | CVE-2003-1049 | IBM | Unspecified vulnerability in IBM DB2 Universal Database 7.0/8.0 IBM DB2 Universal Database 7 before FixPak 12 creates certain DMS directories with insecure permissions (777), which allows local users to modify or delete certain DB2 files. | 4.6 |
1 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-09-29 | CVE-2005-0190 | Realnetworks | Remote Arbitrary File Deletion vulnerability in RealNetworks RealOne Player And RealPlayer Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. | 2.6 |