|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Cluster RECENT-54 - 26 candidates
I have proposed cluster RECENT-54 for review and voting by the Editorial Board. Name: RECENT-54 Description: Candidates announced between 1/24/2001 and 2/6/2001 Size: 26 You may vote on candidates by modifying this email ballot and sending it back to me, or by using the CVE voting web site. The candidates are listed in order of priority. Priority 1 and Priority 2 candidates both deal with varying levels of vendor confirmation, so they should be easy to review and it can be trusted that the problems are real. If you discover that any RECENT-XX cluster is incomplete with respect to the problems discovered during the associated time frame, please send that information to me so that candidates can be assigned. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2001-0179 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0179 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: ALLAIRE:ASB01-02 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=19546&Method=Full Reference: XF:jrun-webinf-file-retrieval Reference: URL:http://xforce.iss.net/static/6008.php Allaire JRun 3.0 allows remote attackers to list contents of the WEB-INF directory, and the web.xml file in the WEB-INF directory, via a malformed URL that contains a "." Analysis ---------------- ED_PRI CAN-2001-0179 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0191 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0191 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010202 Remote vulnerability in gnuserv/XEmacs Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0030.html Reference: REDHAT:RHSA-2001:010 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-010.html Reference: REDHAT:RHSA-2001:011 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-011.html Reference: MANDRAKE:MDKSA-2001:019 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-019.php3 gnuserv before 3.12, as shipped with XEmacs, does not properly check the specified length of an X Windows MIT-MAGIC_COOKIE cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length. Analysis ---------------- ED_PRI CAN-2001-0191 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0193 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0193 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010131 SuSe / Debian man package format string vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98096782126481&w=2 Reference: DEBIAN:DSA-028-1 Reference: URL:http://www.debian.org/security/2001/dsa-028 Reference: BID:2327 Reference: URL:http://www.securityfocus.com/bid/2327 Format string vulnerability in man in some Linux distributions allows local users to gain privileges via a malformed -l parameter. Analysis ---------------- ED_PRI CAN-2001-0193 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0196 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0196 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: FREEBSD:FreeBSD-SA-01:11 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:11.inetd.v1.1.asc Reference: BID:2324 Reference: URL:http://www.securityfocus.com/bid/2324 inetd ident server in FreeBSD 4.x and earlier does not properly set group permissions, which allows remote attackers to read the first 16 bytes of files that are accessible by the wheel group. Analysis ---------------- ED_PRI CAN-2001-0196 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0218 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0218 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010126 format string vulnerability in mars_nwe 0.99pl19 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0456.html Reference: FREEBSD:FreeBSD-SA-01:20 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2001-02/0081.html Reference: XF:mars-nwe-format-string Reference: URL:http://xforce.iss.net/static/6019.php Format string vulnerability in mars_nwe 0.99.pl19 allows remote attackers to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2001-0218 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0194 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0194 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: MANDRAKE:MDKSA-2001:020-1 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-020.php3 Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line. Analysis ---------------- ED_PRI CAN-2001-0194 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0234 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0234 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010126 NewsDaemon remote administrator access Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0460.html Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=60570 Reference: XF:newsdaemon-gain-admin-access Reference: URL:http://xforce.iss.net/static/6010.php NewsDaemon before 0.21b allows remote attackers to execute arbitrary SQL queries and gain privileges via a malformed user_username parameter. Analysis ---------------- ED_PRI CAN-2001-0234 2 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0165 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0165 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010131 [SPSadvisory#40]Solaris7/8 ximp40 shared library buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0517.html Reference: XF:solaris-ximp40-bo Reference: URL:http://xforce.iss.net/static/6039.php Reference: BID:2322 Reference: URL:http://www.securityfocus.com/bid/2322 Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument. Analysis ---------------- ED_PRI CAN-2001-0165 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0167 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0167 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010129 [CORE SDI ADVISORY] WinVNC client buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98088315825366&w=2 Reference: BID:2305 Reference: URL:http://www.securityfocus.com/bid/2305 Reference: XF:winvnc-client-bo Reference: URL:http://xforce.iss.net/static/6025.php Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string. Analysis ---------------- ED_PRI CAN-2001-0167 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0168 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0168 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010129 [CORE SDI ADVISORY] WinVNC server buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=vnc-list&m=98080763005455&w=2 Reference: BID:2306 Reference: URL:http://www.securityfocus.com/bid/2306 Reference: XF:winvnc-server-bo Reference: URL:http://xforce.iss.net/static/6026.php Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0. Analysis ---------------- ED_PRI CAN-2001-0168 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0171 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0171 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010130 DOS Vulnerability in SlimServe HTTPd Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0505.html Reference: XF:slimserve-httpd-dos Reference: URL:http://xforce.iss.net/static/6028.php Reference: BID:2318 Reference: URL:http://www.securityfocus.com/bid/2318 Buffer overflow in SlimServe HTTPd 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long GET request. Analysis ---------------- ED_PRI CAN-2001-0171 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0173 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0173 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010130 Nobreak Tecnologies CrazyWWWBoard Remote Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0486.html Reference: BID:2329 Reference: URL:http://www.securityfocus.com/bid/2329 Reference: XF:crazywwwboard-qdecoder-bo Reference: URL:http://xforce.iss.net/static/6033.php Buffer overflow in qDecoder library 5.08 and earlier, as used in CrazyWWWBoard, CrazySearch, and other CGI programs, allows remote attackers to execute arbitrary commands via a long MIME Content-Type header. Analysis ---------------- ED_PRI CAN-2001-0173 3 Vendor Acknowledgement: unknown discloser-claimed patch Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0174 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0174 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010130 Security hole in Virus Buster 2001 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0500.html Reference: XF:virusbuster-mua-bo Reference: URL:http://xforce.iss.net/static/6034.php Buffer overflow in Trend Micro Virus Buster 2001 8.00 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a large "To" address. Analysis ---------------- ED_PRI CAN-2001-0174 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0180 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0180 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010129 Remote Command Execution in guestserver.cgi + exploit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0471.html Reference: XF:guestserver-cgi-execute-commands Reference: URL:http://xforce.iss.net/static/6027.php Lars Ellingsen guestserver.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the "email" parameter. Analysis ---------------- ED_PRI CAN-2001-0180 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0186 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0186 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010204 Vulnerability in Free Java Web Server Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0061.html Directory traversal vulnerability in Free Java Web Server 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack. Analysis ---------------- ED_PRI CAN-2001-0186 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0192 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0192 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010201 XMail CTRLServer remote buffer overflow vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0047.html Reference: CONFIRM:http://xmailserver.org/XMail-Readme.txt Buffer overflows in CTRLServer in XMail allows attackers to execute arbitrary commands via the cfgfileget or domaindel functions. Analysis ---------------- ED_PRI CAN-2001-0192 3 Vendor Acknowledgement: Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0198 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0198 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010131 [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98096678523370&w=2 Reference: XF:quicktime-embedded-tag-bo Reference: URL:http://xforce.iss.net/static/6040.php Reference: BID:2328 Reference: URL:http://www.securityfocus.com/bid/2328 Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbitrary commands via a long HREF paramater in an EMBED tag. Analysis ---------------- ED_PRI CAN-2001-0198 3 Vendor Acknowledgement: A followup indicated that the problem could not be reproduced, but it was the English version, not the Japanese. So, this could be specific to the Japanese version. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0199 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0199 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010204 Vulnerability in SEDUM HTTP Server Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0064.html Reference: BID:2335 Reference: URL:http://www.securityfocus.com/bid/2335 Directory traversal vulnerability in SEDUM HTTP Server 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the HTTP GET request. Analysis ---------------- ED_PRI CAN-2001-0199 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0200 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0200 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010204 Web root exposure in HSWeb Webserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0052.html Reference: BID:2336 Reference: URL:http://www.securityfocus.com/bid/2336 HSWeb 2.0 HTTP server allows remote attackers to obtain the physical path of the server via a request to the /cgi/ directory, which will list the path if directory browsing is enabled. Analysis ---------------- ED_PRI CAN-2001-0200 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0202 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0202 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010205 Vulnerability in Picserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0073.html Reference: BID:2339 Reference: URL:http://www.securityfocus.com/bid/2339 Picserver web server allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTP GET request. Analysis ---------------- ED_PRI CAN-2001-0202 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0205 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0205 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010206 Vulnerability in AOLserver Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98148759123258&w=2 Reference: BUGTRAQ:20010208 Vulnerability in AOLserver Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98168216003867&w=2 Reference: BID:2343 Reference: URL:http://www.securityfocus.com/bid/2343 Directory traversal vulnerability in AOLserver 3.2 and earlier allows remote attackers to read arbitrary files by inserting "..." into the requested pathname, a modified .. (dot dot) attack. Analysis ---------------- ED_PRI CAN-2001-0205 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0213 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0213 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:200101125 [SAFER] Security Bulletin 010125.EXP.1.12 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0421.html Reference: XF:planetintra-pi-bo Reference: URL:http://xforce.iss.net/static/6002.php Buffer overflow in pi program in PlanetIntra 2.5 allows remote attackers to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2001-0213 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0226 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0226 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010205 Vulnerabilities in BiblioWeb Server Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0075.html Directory traversal vulnerability in BiblioWeb web server 2.0 allows remote attackers tor ead arbitrary files via a .. (dot dot) or ... attack in an HTTP GET request. Analysis ---------------- ED_PRI CAN-2001-0226 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0227 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0227 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010205 Vulnerabilities in BiblioWeb Server Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0075.html Buffer overflow in BiblioWeb web server 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request. Analysis ---------------- ED_PRI CAN-2001-0227 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0228 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0228 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010202 GoAhead Web Server Directory Traversal Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0022.html Directory traversal vulnerability in GoAhead web server 2.1 and earlier allows remote attackers to read arbitrary files via a .. attack in an HTTP GET request. Analysis ---------------- ED_PRI CAN-2001-0228 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-0229 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0229 Final-Decision: Interim-Decision: Modified: Proposed: 20010309 Assigned: 20010308 Category: SF Reference: BUGTRAQ:20010206 Security hole in ChiliSoft ASP on Linux. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-02/0112.html Chili!Soft ASP for Linux before 3.6 does not properly set group privileges when running in inherited mode, which could allow attackers to gain privileges via malicious scripts. Analysis ---------------- ED_PRI CAN-2001-0229 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
|
||||
