| Vulnerability Name: | CVE-2002-0721 (CCN-9857) | ||||||||
| Assigned: | 2002-08-15 | ||||||||
| Published: | 2002-08-15 | ||||||||
| Updated: | 2018-10-12 | ||||||||
| Summary: | Microsoft SQL Server 7.0 and 2000 installs with weak permissions for extended stored procedures that are associated with helper functions, which could allow unprivileged users, and possibly remote attackers, to run stored procedures with administrator privileges via (1) xp_execresultset, (2) xp_printstatements, or (3) xp_displayparamstmt. | ||||||||
| CVSS v3 Severity: | 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Gain Privileges | ||||||||
| References: | Source: NTBUGTRAQ Type: UNKNOWN 20020815 Alert: Microsoft Security Bulletin - MS02-043 Source: MITRE Type: CNA CVE-2002-0721 Source: BUGTRAQ Type: UNKNOWN 20020816 Microsoft SQL Server Extended Stored Procdure privilege upgrade vulnerabilities (#NISR15002002A) Source: NTBUGTRAQ Type: UNKNOWN 20020816 Microsoft SQL Server Extended Stored Procdure privilege upgrade vulnerabilities (#NISR15002002A) Source: CCN Type: CIAC Information Bulletin M-112 Microsoft Cumulative Patch for SQL Server Source: CCN Type: cisco-sa-20030126-ms02-061 Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061 Source: CCN Type: US-CERT VU#399531 Microsoft Windows SQL Server allows arbitrary queries to be executed via xp_execresultset extended procedure Source: CERT-VN Type: US Government Resource VU#399531 Source: CCN Type: US-CERT VU#818939 Microsoft Windows SQL Server allows arbitrary queries to be executed via xp_displayparamstmt extended procedure Source: CERT-VN Type: US Government Resource VU#818939 Source: CCN Type: US-CERT VU#939675 Microsoft Windows SQL Server allows arbitrary queries to be executed via xp_printstatements extended procedure Source: CERT-VN Type: US Government Resource VU#939675 Source: CCN Type: Microsoft Security Bulletin MS02-043 Cumulative Patch for SQL Server (Q316333) Source: CCN Type: Microsoft Security Bulletin MS02-056 Cumulative Patch for SQL Server (Q316333) Source: CCN Type: Microsoft Security Bulletin MS02-061 Elevation of Privilege in SQL Server Web Tasks (Q316333) Source: CCN Type: Microsoft Security Bulletin MS03-031 Cumulative Patch for Microsoft SQL Server (815495) Source: CCN Type: NGSSoftware Insight Security Research Advisory #NISR15002002A Extended Stored Procedure Privilege Upgrade Source: CCN Type: NGSSoftware Insight Security Research Advisory #NISR15002002B SQL Agent Jobs Source: MISC Type: UNKNOWN http://www.ngssoftware.com/advisories/mssql-esppu.txt Source: CCN Type: BID-5481 Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability Source: CCN Type: BID-5483 Microsoft SQL Agent Jobs Privilege Elevation Vulnerability Source: CCN Type: SQLSecurity.com Web site SQL Server/MSDE-Based Applications Source: MS Type: UNKNOWN MS02-043 Source: XF Type: UNKNOWN mssql-xp-weak-permissions(9857) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||