CVE-2002-2043

SQL injection vulnerability in the LDAP and MySQL authentication patch for Cyrus SASL 1.5.24 and 1.5.27 allows remote attackers to execute arbitrary SQL commands and log in as arbitrary POP mail users via the password.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2002-04/0020.html	Patch
http://www.iss.net/security_center/static/8748.php	Patch
http://www.securityfocus.com/bid/4409	Patch
http://archives.neohapsis.com/archives/bugtraq/2002-04/0020.html	Patch
http://www.iss.net/security_center/static/8748.php	Patch
http://www.securityfocus.com/bid/4409	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cyrus:sasl:1.5.24:::::::*
	cpe:2.3:a:cyrus:sasl:1.5.27:::::::*

History

20 Nov 2024, 23:42

Type	Values Removed	Values Added
References	~~() http://archives.neohapsis.com/archives/bugtraq/2002-04/0020.html - Patch~~	() http://archives.neohapsis.com/archives/bugtraq/2002-04/0020.html - Patch
References	~~() http://www.iss.net/security_center/static/8748.php - Patch~~	() http://www.iss.net/security_center/static/8748.php - Patch
References	~~() http://www.securityfocus.com/bid/4409 - Patch~~	() http://www.securityfocus.com/bid/4409 - Patch

Information

Published : 2002-12-31 05:00

Updated : 2024-11-20 23:42

NVD link : CVE-2002-2043

Mitre link : CVE-2002-2043

CVE.ORG link : CVE-2002-2043

JSON object : View

Products Affected

cyrus

sasl

CWE

NVD-CWE-Other

{"id": "CVE-2002-2043", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2002-12-31T05:00:00.000", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2002-04/0020.html", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.iss.net/security_center/static/8748.php", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/4409", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2002-04/0020.html", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.iss.net/security_center/static/8748.php", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/4409", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in the LDAP and MySQL authentication patch for Cyrus SASL 1.5.24 and 1.5.27 allows remote attackers to execute arbitrary SQL commands and log in as arbitrary POP mail users via the password."}], "lastModified": "2024-11-20T23:42:44.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cyrus:sasl:1.5.24:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5B837A3-E1D7-469D-9A2C-1648DB869524"}, {"criteria": "cpe:2.3:a:cyrus:sasl:1.5.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D5319DC-7C56-4661-83A6-6F226DD6804F"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Not vulnerable. This issue only affects a third-party patch to Cyrus SASL, not distributed with Red Hat Enterprise Linux 2.1, 3, or 4.\n", "lastModified": "2006-08-30T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}