| VID |
23052 |
| Severity |
40 |
| Port |
2401 |
| Protocol |
TCP |
| Class |
CVS |
| Detailed Description |
The CVS server, according to its version number, has an arbitrary code execution vulnerability.
CVS (Concurrent Versions System) is an open-source source code management and distribution system available for most Linux and Unix-based operating systems. CVS versions prior to 1.11.11 could allow an attacker with specific access level to execute arbitrary commands on the affected system. If CVS pserver access is enabled, an attacker with write permissions for the CVSROOT/passwd file can execute arbitrary commands on the system with root privileges.
* Note: This check solely relied on the version number of the remote CVS server to assess this vulnerability, so this might be a false positive.
* References:
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88
* Platforms Affected:
CVS (Concurrent Versions System) pserver versions prior to 1.11.11
Linux Any version
UNIX Any version |
| Recommendation |
Upgrade to the latest version of CVS (1.11.11 or later), available from the CVS Web site at http://ccvs.cvshome.org/servlets/ProjectDownloadList
For Gentoo Linux:
Upgrade to the latest version (cvs-1.11.11 or later), as listed in Gentoo Linux Security Announcement 200312-08 at http://www.linuxsecurity.com/advisories/gentoo_advisory-3901.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
(CVE) |
| Related URL |
9306 (SecurityFocus) |
| Related URL |
14089 (ISS) |
|
