| Vulnerability Name: | CVE-2002-1138 (CCN-10257) | ||||||||
| Assigned: | 2002-10-02 | ||||||||
| Published: | 2002-10-02 | ||||||||
| Updated: | 2018-10-12 | ||||||||
| Summary: | Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs." | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2002-1138 Source: CCN Type: CIAC Information Bulletin N-003 Microsoft Cumulative Patch for SQL Server Source: CIAC Type: UNKNOWN N-003 Source: CCN Type: cisco-sa-20030126-ms02-061 Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061 Source: XF Type: Vendor Advisory mssql-agent-create-files(10257) Source: CCN Type: Microsoft Security Bulletin MS02-056 Cumulative Patch for SQL Server (Q316333) Source: CCN Type: Microsoft Security Bulletin MS02-061 Elevation of Privilege in SQL Server Web Tasks (Q316333) Source: CCN Type: Microsoft Security Bulletin MS03-031 Cumulative Patch for Microsoft SQL Server (815495) Source: CCN Type: OSVDB ID: 10139 Microsoft SQL Server Agent Arbitrary File Creation Source: CCN Type: SQLSecurity.com Web site SQL Server/MSDE-Based Applications Source: MS Type: UNKNOWN MS02-056 Source: XF Type: UNKNOWN mssql-agent-create-files(10257) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||