Vulnerability Name:

CVE-2002-1393 (CCN-10923)

Assigned:2002-12-20
Published:2002-12-20
Updated:2016-10-18
Summary:Multiple vulnerabilities in KDE 2 and KDE 3.x through 3.0.5 do not quote certain parameters that are inserted into a shell command, which could allow remote attackers to execute arbitrary commands via (1) URLs, (2) filenames, or (3) e-mail addresses.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: BugTraq Mailing List, Sun Dec 22 2002 - 17:07:44 CST
Re: KDE Security Advisory: Multiple vulnerabilities in KDE

Source: CCN
Type: Gentoo Linux Security Announcement 200212-9
multiple vulnerabilities in KDE

Source: CCN
Type: BugTraq Mailing List, Mon Dec 23 2002 - 12:40:37 CST
Re: KDE Security Advisory: Multiple vulnerabilities in KDE

Source: MITRE
Type: CNA
CVE-2002-1393

Source: CONECTIVA
Type: UNKNOWN
CLA-2003:569

Source: CCN
Type: Conectiva Linux Announcement CLSA-2003:569
kde -- Multiple vulnerabilities in KDE

Source: BUGTRAQ
Type: UNKNOWN
20021221 KDE Security Advisory: Multiple vulnerabilities in KDE

Source: BUGTRAQ
Type: UNKNOWN
20021222 GLSA: kde-3.0.x

Source: CCN
Type: RHSA-2003-002
Updated KDE packages fix security issues

Source: CCN
Type: RHSA-2003-003
kdelibs security update

Source: SECUNIA
Type: UNKNOWN
8067

Source: SECUNIA
Type: UNKNOWN
8103

Source: CCN
Type: CIAC Information Bulletin N-095
Red Hat Multiple Vulnerabilities in KDE

Source: DEBIAN
Type: UNKNOWN
DSA-234

Source: DEBIAN
Type: UNKNOWN
DSA-235

Source: DEBIAN
Type: UNKNOWN
DSA-236

Source: DEBIAN
Type: UNKNOWN
DSA-237

Source: DEBIAN
Type: UNKNOWN
DSA-238

Source: DEBIAN
Type: UNKNOWN
DSA-239

Source: DEBIAN
Type: UNKNOWN
DSA-240

Source: DEBIAN
Type: UNKNOWN
DSA-241

Source: DEBIAN
Type: UNKNOWN
DSA-242

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-243

Source: DEBIAN
Type: DSA-234
kdeadmin -- several vulnerabilities

Source: DEBIAN
Type: DSA-235
kdegraphics -- several vulnerabilities

Source: DEBIAN
Type: DSA-236
kdelibs -- several vulnerabilities

Source: DEBIAN
Type: DSA-237
kdenetwork -- several vulnerabilities

Source: DEBIAN
Type: DSA-238
kdepim -- several vulnerabilities

Source: DEBIAN
Type: DSA-239
kdesdk -- several vulnerabilities

Source: DEBIAN
Type: DSA-240
kdegames -- several vulnerabilities

Source: DEBIAN
Type: DSA-241
kdeutils -- several vulnerabilities

Source: DEBIAN
Type: DSA-242
kdebase -- several vulnerabilities

Source: DEBIAN
Type: DSA-243
kdemultimedia -- several vulnerabilities

Source: CCN
Type: KDE Security Advisory 2002-12-20
Multiple vulnerabilities in KDE

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.kde.org/info/security/advisory-20021220-1.txt

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2003:004

Source: REDHAT
Type: UNKNOWN
RHSA-2003:002

Source: REDHAT
Type: UNKNOWN
RHSA-2003:003

Source: BID
Type: UNKNOWN
6462

Source: CCN
Type: BID-6462
KDE Parameter Quoting Shell Command Execution Vulnerability

Source: CCN
Type: TLSA-2003-1
Multiple vulnerabilities in KDE

Source: XF
Type: UNKNOWN
kde-quoting-command-execution(10923)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:kde:kde:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.2:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.3a:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.5:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:suse:suse_linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_firewall:*:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_email_server:iii:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_connectivity_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_office_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_email_server:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:8:*:*:*:server:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:8:*:*:*:workstation:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:7:*:*:*:server:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:ia64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:ppc:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.debian:def:241
    V
    		several vulnerabilities
    2003-01-24
    oval:org.debian:def:242
    V
    		several vulnerabilities
    2003-01-24
    oval:org.debian:def:243
    V
    		several vulnerabilities
    2003-01-24
    oval:org.debian:def:238
    V
    		several vulnerabilities
    2003-01-23
    oval:org.debian:def:239
    V
    		several vulnerabilities
    2003-01-23
    oval:org.debian:def:240
    V
    		several vulnerabilities
    2003-01-23
    oval:org.debian:def:234
    V
    		several vulnerabilities
    2003-01-22
    oval:org.debian:def:235
    V
    		several vulnerabilities
    2003-01-22
    oval:org.debian:def:236
    V
    		several vulnerabilities
    2003-01-22
    oval:org.debian:def:237
    V
    		several vulnerabilities
    2003-01-22
    BACK
    kde kde 2.0
    kde kde 2.0.1
    kde kde 2.1
    kde kde 2.1.1
    kde kde 2.1.2
    kde kde 2.2
    kde kde 2.2.1
    kde kde 2.2.2
    kde kde 3.0
    kde kde 3.0.1
    kde kde 3.0.2
    kde kde 3.0.3
    kde kde 3.0.3a
    kde kde 3.0.4
    kde kde 3.0.5
    suse suse linux 7.1
    redhat linux 7.1
    suse suse linux 7.2
    mandrakesoft mandrake linux 8.1
    redhat linux 7.2
    suse suse linux 7.3
    suse suse linux firewall *
    suse suse email server iii
    suse suse linux connectivity server *
    mandrakesoft mandrake linux 8.2
    suse suse linux 8.0
    conectiva linux 8.0
    redhat linux 7.3
    debian debian linux 3.0
    gentoo linux *
    suse suse linux office server *
    redhat linux 8.0
    mandrakesoft mandrake linux 9.0
    suse suse email server 3.1
    suse suse linux 8.1
    turbolinux turbolinux 8
    turbolinux turbolinux 8
    turbolinux turbolinux 7
    redhat enterprise linux 2.1
    redhat linux 9.0
    suse suse linux 8.2
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 8.1
    mandrakesoft mandrake linux 8.2