Vulnerability Name:

CVE-2007-6350 (CCN-39069)

Assigned:2007-08-10
Published:2007-08-10
Updated:2011-08-08
Summary:scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute code by invoking dangerous subcommands including (1) unison, (2) rsync, (3) svn, and (4) svnserve, as originally demonstrated by creating a Subversion (SVN) repository with malicious hooks, then using svn to trigger execution of those hooks.
CVSS v3 Severity:3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.1 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-noinfo
CWE-264
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: Debian Bug report logs - #437148
"svn", "svnserve", "unison", "rsync" passthrough is unsafe

Source: CONFIRM
Type: UNKNOWN
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148

Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=201726

Source: MITRE
Type: CNA
CVE-2007-6350

Source: OSVDB
Type: UNKNOWN
44137

Source: CCN
Type: SourceForge.net Repository
View of /scponly/SECURITY

Source: CONFIRM
Type: UNKNOWN
http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?view=markup

Source: CCN
Type: SA28123
scponly Command Passthrough Security Bypass

Source: SECUNIA
Type: Vendor Advisory
28123

Source: CCN
Type: SA28538
Debian update for scponly

Source: SECUNIA
Type: Vendor Advisory
28538

Source: SECUNIA
Type: Vendor Advisory
28944

Source: SECUNIA
Type: Vendor Advisory
28981

Source: GENTOO
Type: UNKNOWN
GLSA-200802-06

Source: CCN
Type: SECTRACK ID: 1019103
Scponly May Let Remote Authenticated Users Execute Arbitrary Commands

Source: DEBIAN
Type: UNKNOWN
DSA-1473

Source: DEBIAN
Type: DSA-1473
scponly -- design flaw

Source: CCN
Type: GLSA-200802-06
scponly: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 44137
scponly Multiple Subcommands Crafted Subversion (SVN) Repository Restriction Bypass

Source: BID
Type: UNKNOWN
26900

Source: CCN
Type: BID-26900
scponly Local Arbitrary Command Execution Weakness

Source: SECTRACK
Type: UNKNOWN
1019103

Source: VUPEN
Type: Vendor Advisory
ADV-2007-4243

Source: XF
Type: UNKNOWN
scponly-multiple-security-bypass(39069)

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-1743

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-1728

Vulnerable Configuration:Configuration 1:
  • cpe:/a:scponly:scponly:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:scponly:scponly:4.3:*:*:*:*:*:*:*
  • OR cpe:/a:scponly:scponly:4.4:*:*:*:*:*:*:*
  • OR cpe:/a:scponly:scponly:4.5:*:*:*:*:*:*:*
  • OR cpe:/a:scponly:scponly:*:*:*:*:*:*:*:* (Version <= 4.6)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:7732
    P
    		DSA-1473 scponly -- design flaw
    2014-06-23
    oval:org.mitre.oval:def:18701
    P
    		DSA-1473-1 scponly - arbitrary code execution
    2014-06-23
    oval:org.debian:def:1473
    V
    		design flaw
    2008-01-21
    BACK
    scponly scponly 4.2
    scponly scponly 4.3
    scponly scponly 4.4
    scponly scponly 4.5
    scponly scponly *