CVE Abstraction Content Decisions: Rationale and Application

This is a draft and does not represent an official position of The MITRE Corporation. This document is subject to change without notice.
Date: June 15, 2005

Table of Contents

Introduction

CVE Abstraction Content Decisions (CDs) provide guidelines about when to combine multiple reports, bugs, and/or attack vectors into a single CVE name ("MERGE"), and when to create separate CVE names ("SPLIT").

This document:

  • Discusses the design goals of CDs and their role in managing vulnerability information
  • Outlines the major abstraction CDs
  • Compares them with other vulnerability information sources
  • Provides a number of examples of CDs in action

This document is intended for use by CVE Numbering Authorities (CNAs) and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-Compatible Products and Services, and technical consumers of vulnerability information on a large scale.

Content Decision Design Goals

CDs are designed with the following goals in mind:

  • Provide consistency across the space of all public vulnerability reports, in which the amount of relevant details can vary widely between reports.
  • Provide stability, where feasible, as the information about a specific vulnerability develops and matures.
  • Provide repeatability, so that others can apply CDs and obtain the same results.
  • Provide transparency so that analysts can understand the rationale for certain choices made in CVE.
  • Maximize usability across the diverse consumers of CVE information.
  • Maximize practicality. CDs cannot be "perfect" or "complete" because vulnerability information is rarely perfect or complete.

Content Decisions in the Context of Vulnerability Information

The following main points should be remembered while reviewing and applying CVE content decisions.

1) VULNERABILITY ANALYSTS USE WIDELY VARYING CRITERIA FOR "SPLITTING" AND "MERGING" MULTIPLE VULNERABILITIES OR VULNERABILITY REPORTS. These criteria are often valid and sufficient for specific cases, but they are not necessarily usable or consistent across a large number of issues.

See the "Common Abstraction Facets of Non-CVE Vulnerability Sources" section below for more details.

2) Because of multiple design goals and the varying criteria used in the community, as described in (1) above, THERE ARE SOME CASES IN WHICH CDs DO NOT NECESSARILY FOLLOW "NATURAL" LOGIC.

3) THE QUALITY OF AVAILABLE INFORMATION IS THE PRIMARY FACTOR IN PROPER USE OF CDs, but unfortunately, the quality varies widely across vulnerabilities, and also within different phases in the disclosure and resolution of a single vulnerability.

4) While the current CDs have arisen out of three years of experimentation and tinkering, followed by another three years of informal validation, CDs ARE STILL OCCASIONALLY SUBJECT TO A JUDGMENT CALL BY THE ANALYST.

The "Big Four" Abstraction Content Decisions

The following CDs determine how to SPLIT or MERGE reported issues/vulnerabilities.

NOTE: These CDs will differ from the abstraction choices that are used by other information sources such as databases, advisories, and notification services. See "Common Abstraction Facets of Non-CVE Vulnerability Sources."

A SPLIT action means that separate CVE identifiers should be assigned, and a MERGE action means that the vulnerabilities should be combined into a single CVE identifier.

For any group of vulnerabilities, all relevant CDs are applied.

Consider two separate security issue reports, S1 and S2, as reported for a certain software package (application, library, codebase, etc.).

AB1) If S1 and S2 are different types of bugs, then SPLIT. If one bug type is known but the other is unknown, then they are SPLIT. If both bug types are unknown, then they are treated as the same.

ISSUE: Sometimes (1) there is not sufficient information to determine the bug types, or (2) at the lowest level of detail, the terminology for bug types is nonexistent or inconsistent at best. The best available information is used.

AB2) If S1 and S2 are the same type of bug, but S1 appears in some version that S2 does not (or vice versa), then SPLIT.

ISSUE: Sometimes (1) even the vendor is not sure about the earliest version that is affected by a particular bug, or (2) the report does not contain sufficient information regarding the full range of affected versions. The best available information is used.

AB3) If S1 and S2 are the same type of bug, and they affect the same versions, then MERGE.

ISSUE: Same issues as AB1.

AB4) If there are multiple products, vendors, distributors, or users of the same core codebase, then DO NOT SPLIT based solely on distinguishing between products.

Note: This CD needs more clarity.

ISSUE: Large-scale, suite-based testing (i.e., "PROTOS" style) can affect many different products with unknown codebase relationships, uncertain bug types, and a large number of test cases. Suite-based testing, while highly effective, poses unique challenges for content decisions because of the large number of vulnerabilities that are normally discovered and reported. In addition, codebase relationships can be difficult to determine.

Common Abstraction Facets of Non-CVE Vulnerability Sources

The following facets of a vulnerability are often used by other information sources to conduct their own SPLIT or MERGE decisions, in ways that may differ from CVE.

1) Different attack vectors within the same executable.

For example, a Web application with a SQL injection vulnerability in parameter "X" and parameter "Y" might be SPLIT by some sources or MERGED by other sources. Intrusion detection systems can fall into this category.

In CVE, this was historically referred to as CD:SF-LOC, but that has been superseded by the Abstraction Guidelines.

2) Different executables, same attack vector.

For example: programs "X" and "Y" are in the same product. Both might both be vulnerable to a buffer overflow in a command line "-arg" parameter.

In CVE, this was historically covered by CD:SF-EXEC, but that has been superseded by the Abstraction Guidelines.

3) Different executables, different attack vectors.

For example, programs "X" and "Y" are in the same product. Both are subject to directory traversal, but "X" is exploitable via the "file" parameter, while "Y" is vulnerable via the "config" parameter.

In CVE, this was historically covered by CD:SF-EXEC, but that has been superseded by the Abstraction Guidelines.

4) Different product, same vendor.

Some sources, especially those geared towards enterprise security and notification, will SPLIT issues based on products, even if the bug is the same.

In CVE, this was partially covered by CD:SF-CODEBASE, but that has been replaced by the Abstraction Guidelines.

5) Different vulnerability type.

Many sources, especially databases, will SPLIT based on the type of vulnerability, e.g., SQL injection will receive a separate identifier from a buffer overflow.

CVE uses this facet in its Abstraction Guidelines.

6) Different products, different vendors, same standard.

Consider a standard protocol, file format, or algorithm, in which there are multiple implementations for that standard. It is very common for separate products to be vulnerable to the same bug. For example, over 20 FTP servers have been subject to buffer overflows in the USER name.

CVE tries to distinguish between separate codebases, but large-scale, multi-implementation analysis efforts can make this difficult.

7) Same patch.

Some sources provide a single identifier for a single patch, even if it is for multiple vulnerability types. Software vendor advisories often fall into this category.

Guidance on Identifying Different Bug Types

While there has been some research on classification and taxonomies for vulnerabilities, there are no categories that are universally used, and terminology is still evolving.

CVE does not operate at the more general categories such as "Input Validation Error" or "Design Error." It differentiates between vulnerabilities at lower levels of abstraction.

By way of example, the following bug types are regarded as different for CVE:

  • buffer overflows
  • format string vulnerabilities (even though they share some properties with buffer overflows)
  • directory traversal (though multiple variants will often plague the same product over its lifetime)
  • SQL injection (even though it shares syntax-manipulation properties with XSS)
  • Shell metacharacters (even though it shares syntax-manipulation properties with XSS and SQL injection)
  • cross-site scripting (XSS) note: CVE does not distinguish between XSS and "HTML injection"
  • integer overflows (even though attack techniques may use buffer overflows to smash the stack or corrupt the heap)
  • signed integer errors
  • insecure permissions
  • not properly dropping privileges
  • assigning too much privilege
  • symbolic link following
  • inability to handle a missing field or value
  • inability to handle an invalid field or value
  • information leak by not properly clearing memory before reuse
  • information leak by intentionally providing too much information
  • information leak from timing attack
  • and many other examples

Ultimately, the determination of "different bug type" is a judgment call on the part of the analyst who is applying the CDs.

Examples

This section contains both theoretical and real-world examples.

7.1 Theoretical Examples: AB1 - SPLIT by bug type

Consider the following hypothetical vulnerabilities:

1) Product P version 1.0 has one executable, E.

V1: E is vulnerable to a buffer overflow in parameter X.

V2: E is vulnerable to a crash when field Y is not given a value.

V1 and V2 would be SPLIT per CD:AB1.

2) Product P version 1.0 has two executables, E1 and E2.

V1: E1 is vulnerable to shell metacharacters in parameter X

V2: E2 is vulnerable to a buffer overflow in parameter Y

V1 and V2 would be SPLIT per CD:AB1.

3) Product P version 1.0 has one executable, E.

V1: E is vulnerable to a buffer overflow in parameter X.

V2: E is also vulnerable to SQL injection in parameter X.

V1 and V2 would be SPLIT per CD:AB1, even though the same parameter is affected.

7.2 Theoretical Examples: AB2 - SPLIT by version

1) Product P has two executables, E1 and E2.

V1: In P version 1.0, E1 is vulnerable to a buffer overflow in parameter X.

V2: E2 in P version 2.0 is found vulnerable to a buffer overflow in parameter Y.

V1 and V2 would be SPLIT per CD:AB2. The fact that they are different executables and different parameters is irrelevant (relative to content decisions).

2) Executable E is in Product P.

V1: E is vulnerable to a buffer overflow in parameter X, but only in P version 1.0

V2: E is vulnerable to a buffer overflow in parameter Y, but only in P version 2.0.

V1 and V2 would be SPLIT per CD:AB2, even though the same executable is affected, because different versions are affected.

3) Product P has two executables, E1 and E2.

V1: In P version 1.0, E1 is vulnerable to a buffer overflow in parameter X. This bug is fixed in version 2.0.

V2: E2 in P version 2.0 is found vulnerable to a buffer overflow, also in parameter X. Further investigation shows that this issue also existed for E2 in the previous version 1.0.

V1 and V2 would be SPLIT per CD:AB2, even though the same parameter is involved, because different sets of versions are affected.

V2 appears in some version (2.0) that V1 does not.

4) Product P has one executable, E.

V1: E in P version 1.0 is vulnerable to a directory traversal vulnerability using "../" in parameter X. It is fixed in 2.0.

V2: E in P version 2.0 is vulnerable to a directory traversal vulnerability using "....//" in parameter X.

V1 and V2 would be SPLIT per CD:AB2. V2 is a variant of V1, but it still affects different versions.

7.3 Theoretical Examples: AB3 - MERGE when bug type and version are the same

1) Product P version 1.0 has two executables, E1 and E2.

V1: E1 is vulnerable to a buffer overflow in parameter P.

V2: E2 is also vulnerable to a buffer overflow in parameter P.

V1 and V2 would be MERGED per CD:AB3, even though multiple executables are involved. The fact that the same parameter is affected is not relevant (with respect to the CD).

2) Product P version 1.0 has two executables, E1 and E2.

V1: E1 is vulnerable to a buffer overflow in parameter P.

V2: E2 is vulnerable to a buffer overflow in parameter Q.

V1 and V2 would be MERGED per CD:AB3, even though multiple executables are involved, and even though separate parameters are involved.

3) Product P version 1.0 has two executables, E1 and E2.

V1: E1 is vulnerable to a buffer overflow in parameters P and Q.

V2: E2 is vulnerable to a buffer overflow in parameter P.

V1 and V2 would be MERGED per CD:AB3, even though Q is an attack vector for E1 but not for E2.

7.4 Theoretical Examples: Combinations of AB1, AB2, and AB3

In some cases, multiple abstraction CDs are applicable to the same set of bugs. These examples are a little more complicated, but they demonstrate how abstraction CDs can interact with each other.

1) Product P has two executables, E1 and E2.

V1: E1 in P 1.0 is vulnerable to a buffer overflow in parameter X.

V2: E2 in P 1.0 is vulnerable to a buffer overflow in parameter Y.

V3: E1 in P 2.0 is vulnerable to a buffer overflow in parameter Z.

All bugs are the same type, so AB1 does not apply, even though different executables and parameters are affected.

Applying AB2, we SPLIT by version:

P 1.0: V1 and V2

P 2.0: V3

Applying AB3, we keep V1 and V2 MERGED because they are the same type.

So, we have:

CVE-1: V1 and V2

CVE-2: V3

2) Product P has a single executable, E.

V1: E in P 1.0 is vulnerable to a buffer overflow in parameter X.

V2: E in P 1.0 is vulnerable to a buffer overflow in parameter Y.

V3: E in P 1.0 is vulnerable to SQL injection in parameter X.

V4: E in P 2.0 is vulnerable to SQL injection in parameter Y.

V5: E in P 2.0 is vulnerable to a buffer overflow in parameter Z.

Applying AB1, we have two bug types:

buffer overflow - V1, V2, and V5

SQL injection - V3 and V4

Applying AB2, we further break down the bug types:

Buffer overflow:

- V1 and V2 affect 1.0

- V5 affects 2.0

SQL injection:

- V3 affects 1.0

- V4 affects 2.0

So, we have:

CVE-1: V1 and V2

CVE-2: V5

CVE-3: V3

CVE-4: V4

Notice all the different ways that these issues could be reasonably broken down, but the CVE content decisions remain consistent.

1 identifier: if all these bugs were included in the same initial public report, an analyst could choose to give a single identifier to the report.

2 identifiers: an analyst could choose to split only by bug type, which would yield (V1, V2, V5) and (V2, V3).

2 identifiers: an analyst could choose to split by version, which would yield (V1, V2, V3) for 1.0, and (V4, V5) for 2.0.

3 identifiers: an analyst could split by the parameters - X (V1 and V3), Y (V2 and V4), and Z (V5).

4 identifiers: split by bug type and version (i.e., CVE content decisions).

5 identifiers: an analyst could give separate IDs to all 5 issues.

3) Product P has a single executable, E.

V1: E in P 1.0 is vulnerable to a buffer overflow in parameter X.

V2: E in P 1.0 is vulnerable to a buffer overflow in parameter Y.

V3: E in P 2.0 is vulnerable to a buffer overflow in parameter Y.

V4: E in P 2.0 is vulnerable to SQL injection in parameter Y.

Applying AB1, we have two bug types:

buffer overflow - V1, V2, and V3

SQL injection - V4

Applying AB2, we further break down the bugs:

Buffer overflow:

- parameter X affects 1.0 - V1

- parameter Y affects 1.0 and 2.0 - V2 and V3

Applying AB3, we keep

- X affects 1.0

- Y affects 2.0

7.5 Real-World Examples

1) AB1: different bug types, same executable

CVE-2000-0696: The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script.

CVE-2000-0697: The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters.

2) AB1: different bug types, same executable

CVE-2002-0470: PHPNetToolpack 0.1 relies on its environment’s PATH to find and execute the traceroute program, which could allow local users to gain privileges by inserting a Trojan horse program into the search path.

CVE-2002-0471: PHPNetToolpack 0.1 allows remote attackers to execute code via shell metacharacters in the a_query variable.

3) AB2: different versions

CVE-2004-0399: Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification.

CVE-2004-0400: Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check.

4) AB2: different versions

CVE-2003-0421: Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g., AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502.

CVE-2003-0502: Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g., AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421.

5) AB2: different versions

CVE-2004-0085: Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086.

CVE-2004-0086: Unknown vulnerability in the Mail application for Mac OS X 10.3.2 with unknown impact, a different vulnerability than CVE-2004-0085.

6) AB3: same bugs in the same executable

CVE-1999-1510: Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands.

7) AB3: same bugs in the same executable

CVE-2003-0321: Multiple buffer overflows in BitchX IRC client 1.0-0c19 and earlier allow remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via long hostnames, nicknames, or channel names, which are not properly handled by the functions (1) send_ctcp, (2) cannot_join_channel, (3) cluster, (4) BX_compress_modes, (5) handle_oper_vision, and (6) ban_it.

8) AB3: same bugs in the same executable.

CVE-2004-0737: Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5)sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters.

9) AB3: same bugs in the same executable. Notice how this description has less specific details than the description for the BitchX and Php-Nuke issues, but in all cases, a single CVE identifier was assigned. This is a demonstration of the consistency of CVE CDs.

CVE-2004-0886: Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.

10) AB3: same bug types in multiple executables.

CVE-1999-0127: swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.

11) AB3: same bug types in multiple executables, same attack vector.

CVE-1999-0467: The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter.

12) AB3: same bug types in the same executable.

CVE-2004-1050: Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility.

13) AB3: same bug types in the same executable.

CVE-2003-0536: Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. (dot dot) sequences in the (1) template or (2) lng parameters.

14) AB3: same bug types in multiple executables, different attack vectors.

CVE-2002-1441: Multiple buffer overflows in Tomahawk SteelArrow before 4.5 allow remote attackers to execute arbitrary code via (1) the Steelarrow Service (Steelarrow.exe) using a long UserIdent Cookie header, (2) DLLHOST.EXE (Steelarrow.dll) via a request for a long .aro file, or (3) DLLHOST.EXE via a Chunked Transfer-Encoding request.

15) AB3: same bug types in multiple executables, different attack vectors.

CVE-2004-0250: SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php.

16) AB1 and AB3: SPLIT on different bug types, MERGE same bug type

CVE-2004-0226: Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code.

CVE-2004-0232: Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code.

17) AB1 and AB3: SPLIT on different bug types, MERGE same bug type

CVE-2002-1085: Multiple cross-site scripting vulnerabilities in ezContents 1.41 and earlier allow remote attackers to execute script and steal cookies via the diary and other capabilities.

CVE-2002-1086: Multiple SQL injection vulnerabilities in ezContents 1.41 and earlier allow remote attackers to conduct unauthorized activities.

CVE-2002-1087: The scripts (1) createdir.php, (2) removedir.php and (3) uploadfile.php for ezContents 1.41 and earlier do not check credentials, which allows remote attackers to create or delete directories and upload files via a direct HTTP POST request.

18) AB3: MERGE on bug types, within the same executable, and across multiple executables.

CVE-2002-1536: Molly IRC bot 0.5 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the $host variable for nslookup.pl, (2) the $to, $from, or $message variables in pop.pl, (3) the $words or $text variables in sms.pl, or (4) the $server or $printer variables in hpled.pl.

19) AB1 and AB3: MERGE on same bug types in multiple executables, but SPLIT on different bug types.

CVE-2003-1050: Multiple buffer overflows in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via long command line arguments to (1) db2start, (2) db2stop, or (3) db2govd.

CVE-2003-1051: Multiple format string vulnerabilities in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via certain command line arguments to (1) db2start, (2) db2stop, or (3) db2govd.

20) AB1 and AB3: MERGE on same bug types in multiple executables, but SPLIT on different bug types.

CVE-2004-0152: Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames.

CVE-2004-0153: Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages.

21) AB2 and AB3: SPLIT on different versions (AB2) but MERGE on same bug types within the same versions (AB3)

CVE-2003-0611: Multiple buffer overflows in xtokkaetama 1.0 allow local users to gain privileges via a long (1) -display command line argument or (2) XTOKKAETAMADIR environment variable.

CVE-2003-0652: Buffer overflow in xtokkaetama allows local users to gain privileges via a long -nickname command line argument, a different vulnerability than CVE-2003-0611.

22) AB1 and AB3: MERGE on same bug types in multiple executables, but SPLIT on different bug types.

Notice how the CVE-2005-1502 and CVE-2005-1503 share many of the same parameters and executables.

CVE-2005-1502: Cross-site scripting (XSS) vulnerability in MidiCart PHP Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) searchstring parameter to search_list.php or the (2) secondgroup or (3) maingroup parameters to item_list.php.

CVE-2005-1503: Multiple SQL injection vulnerabilities in MidiCart PHP Shopping Cart allow remote attackers to execute arbitrary SQL commands via the (1) searchstring parameter to search_list.php, the (2) maingroup or (3) secondgroup parameters to item_list.php, or (4) code_no parameter to item_show.php.

23) AB1, AB2, and AB3:

- CVE-2004-1988 and CVE-2004-1989 are SPLIT because they affect different versions.

- the others are SPLIT because each is a different bug type

- notice the MERGE of the same bug type in CVE-2004-1987.

CVE-2004-1985: Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to inject arbitrary HTML or web script via the CPG_URL parameter.

CVE-2004-1986: Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter.

CVE-2004-1987: picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG[‘impath’] or (2) $CONFIG[‘jpeg_qual’] parameters.

CVE-2004-1988: PHP remote code injection vulnerability in init.inc.php in Coppermine Photo Gallery 1.2.0 RC4 allows remote attackers to execute arbitrary PHP code by modifying the CPG_M_DIR to reference a URL on a remote web server that contains functions.inc.php.

CVE-2004-1989: PHP remote code injection vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc.

7.6 Other Interesting Examples Not Yet Categorized

One bug, multiple attack vectors: CVE-2003-0761

Vague same-type descriptions: CVE-2004-0523, CVE-2004-0519, CVE-2004-0039

Vague different-type descriptions: CVE-2003-0996, CVE-2003-0997

Vague multiple issues: CVE-2003-0374

Codebase/package: CVE-2004-0907, CVE-2004-0179, CVE-2004-0008, CVE-2003-0926 (also AB3), CVE-2003-0818 (also AB3), CVE-2004-0590

CVE-2004-0235 - not "same bug"

CVE-2003-0454 - single input, multiple bugs

SUITE: CVE-2004-0222

SUITE: CVE-2003-0296, CVE-2003-0297, CVE-2003-0298, CVE-2003-0299, CVE-2003-0300, CVE-2003-0301, CVE-2003-0302

Multiple products, same protocol/attack vector: CVE-2000-0479, CVE-1999-1510, CVE-1999-1514, CVE-1999-1519, CVE-1999-1539, CVE-2000-0656, CVE-2000-1035, CVE-2001-0794, CVE-2001-0826, CVE-2002-0126

Flaw-type imprecision: CVE-2003-0983, CVE-2003-0346, CVE-2003-0312/CVE-2003-0313, CVE-2002-1559, and CVE-2002-1483 [directory traversal], CVE-2004-0444

Missing version: CVE-2003-0325, CVE-2003-0330

CVE-2002-0684

7.7 Additional Real-World Examples

Each of these real-world examples shares the same properties as one of the examples mentioned in the previous section, but they may be useful.

1) AB1: different bug types, same executable

CVE-1999-1540: Shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding), which allows attackers to easily decrypt and obtain the source code.

CVE-1999-1541: Shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file.

2) AB1: different bug types, same executable

CVE-1999-0931: Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands.

CVE-1999-0932: Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file.

3) AB1: different bug types, same executable

CVE-2004-0393: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.

CVE-2004-0454: Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code.

AB2: different versions

CVE-2003-1042 and CVE-2003-1043:

CVE-2003-1042: SQL injection vulnerability in collectstats.pl for Bugzilla 2.16.3 and earlier allows remote authenticated users with editproducts privileges to execute arbitrary SQL via the product name.

CVE-2003-1043: SQL injection vulnerability in Bugzilla 2.16.3 and earlier, and 2.17.1 through 2.17.4, allows remote authenticated users with editkeywords privileges to execute arbitrary SQL via the id parameter to editkeywords.cgi.

AB2: different versions

CVE-2003-0758: Buffer overflow in db2dart in IBM DB2 Universal Data Base 7.2 before Fixpak 10 allows local users to gain root privileges via a long command line argument.

CVE-2003-0759: Buffer overflow in db2licm in IBM DB2 Universal Data Base 7.2 before Fixpak 10a allows local users to gain root privileges via a long command line argument.

CVE-2000-0133: Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands.

CVE-2001-0826: Buffer overflows in CesarFTPD 0.98b allows remote attackers to execute arbitrary commands via long arguments to (1) HELP, (2) USER, (3) PASS, (4) PORT, (5) DELE, (6) REST, (7) RMD, or (8) MKD.

CVE-2002-0578: Buffer overflow in 4D WebServer 6.7.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP request with Basic Authentication containing a long (1) user name or (2) password.

CVE-2004-0958: PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character.

CVE-2004-0832: The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy.

CVE-2004-0663: Cross-site scripting (XSS) vulnerability in modules.php in PowerPortal 1.x allows remote attackers to inject arbitrary script or HTML via (1) the id, (2) search, or (3) files parameters.

CVE-2004-0597: Multiple buffer overflows in libpng 1.2.5 and earlier allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.

CVE-2004-0354: Multiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to execute arbitrary code via format string specifiers in strings passed to (1) the info function in log.c, (2) the anubis_error function in errs.c, or (3) the ssl_error function in ssl.c.

CVE-2004-0152: Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames.

CVE-2004-1035: Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3) request.c, and (4) select.c for up-imapproxy IMAP proxy 1.2.2 allow remote attackers to cause a denial of service (server crash) and possibly leak sensitive information via certain literal values that are not properly handled when using the IMAP_Line_Read function.

CVE-2004-0941: Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990.

CVE-1999-0828: UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.

CVE-1999-1492: Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges.

CVE-2000-0986: Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly allow local users to gain privileges via a long ORACLE_HOME environmental variable.

CVE-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.

CVE-2001-1034: Format string vulnerability in Hylafax on FreeBSD allows local users to execute arbitrary code via format specifiers in the -h hostname argument for (1) faxrm or (2) faxalter.

CVE-2000-1177: bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID’s by specifying the target file in the HISTFILE parameter.

CVE-2004-0358: Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php.

CVE-2004-0967: The (1) pj-gs.sh, (2) ps2epsi , (3) pv.sh, and (4) sysvlp.sh scripts in the ESP Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and other operating systems, allow local users to overwrite files via a symlink attack on temporary files.

CVE-2004-0065: Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php.

CVE-2004-0639: Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable.

AB1 and AB3: SPLIT on different bug types, MERGE same bug type

CVE-2004-0687: Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file.

CVE-2004-0688: Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.

AB3: MERGE on same bug types within the same executable and across multiple executables.

CVE-2001-1402: Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi.

AB1 and AB3: MERGE on same bug types in multiple executables, but SPLIT on different bug types.

CVE-2003-0487: Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long folder parameter in the list module, and (4) a long user parameter in the do_map module.

CVE-2003-0488: Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module.

AB2 and AB3: SPLIT on different versions (AB2) but MERGE on same bug types within the same versions (AB3)

CVE-2004-0888: Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889.

CVE-2004-0889: Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as CUPS, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0888.

Additional Information

For more information see CVE Content Decisions Overview and About CVE Identifiers.

 
Page Last Updated: October 25, 2011