420050803235153Red Hat Linux 9MuttJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.CAN-2003-0140ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTED'The Exchange 2003 Exadmin virtual directory uses only Integrated Windows Authentication.'2.1.6ACCEPTED1Corresponds to item 2.1.6 in the Exchange 2003 BenchmarkRed Hat Linux 9CUPSJay BealeINTERIMJay BealeACCEPTEDCUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out.CAN-2003-0195ACCEPTED1Sun Solaris 8kcms_configureDavid Proulxkcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.CVE-2001-0594ACCEPTED1Sun Solaris 8libnslDavid ProulxInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.CVE-2002-0391ACCEPTED1Sun Solaris 8xlockDavid ProulxHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.CVE-2001-0652ACCEPTED1Sun Solaris 8snmpdxDavid ProulxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CAN-2002-0796ACCEPTED1Microsoft Windows 2000Internet Explorer 5.5 Service Pack 2David ProulxInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.CVE-2002-0026ACCEPTED3Sun Solaris 8XsunDavid ProulxBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.CVE-2002-0158ACCEPTED1Sun Solaris 8CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.CAN-2002-0677ACCEPTED1Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronACCEPTEDBuffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.CVE-2002-0079ACCEPTED3Microsoft Windows 2000Internet Explorer 6.0David ProulxInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.CVE-2002-0023ACCEPTED3Microsoft Windows NTWindows ShellMatthew BurtonMatthew BurtonDRAFTINTERIMMatthew BurtonACCEPTEDBuffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled.CVE-2002-0070ACCEPTED1Microsoft Windows 2000Internet Explorer 6.0Andrew ButtnerCross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability.CAN-2002-0189ACCEPTED3Microsoft Windows 2000Distributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528.CAN-2003-0715ACCEPTED2Microsoft Windows 2000Internet Information Server 5.0Andrew ButtnerACCEPTEDBuffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."CVE-2002-0147ACCEPTED4Microsoft Windows 2000Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1David ProulxInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.CVE-2002-0026ACCEPTED3Microsoft Windows NTFTPTiffany BergeronThe FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.CVE-2002-0073ACCEPTED3Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronACCEPTEDBuffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.CVE-2002-0079ACCEPTED3Microsoft Windows 2000Network Connection Manager (NCM)Christine WalzerChristine WalzerINTERIMACCEPTEDA handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code.CVE-2002-0720ACCEPTED2Microsoft Windows 2000Internet Explorer 5.01Tiffany BergeronChristine WalzerINTERIMACCEPTEDMicrosoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.CVE-2002-0193ACCEPTED3Red Hat Linux 9skkJay BealeINTERIMJay BealeACCEPTEDskk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files.CAN-2003-0539ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronACCEPTEDBuffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise."CVE-2002-0364ACCEPTED4Microsoft Windows 2000SMTPTiffany BergeronAndrew ButtnerSMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request.CVE-2002-0055ACCEPTED3Sun Solaris 8cachefsdDavid ProulxBrian SobyINTERIMACCEPTEDHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.CVE-2002-0033ACCEPTED3Microsoft Windows 2000Internet Explorer 6.0David ProulxInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.CVE-2002-0026ACCEPTED3Sun Solaris 7XsunDavid ProulxBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.CVE-2002-0158ACCEPTED1Sun Solaris 7whodoDavid ProulxBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.CAN-2001-1076ACCEPTED1Microsoft Windows 2000FTPTiffany BergeronThe FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.CVE-2002-0073ACCEPTED4Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.CVE-2001-0333ACCEPTED2Microsoft Windows 2000Windows 2000Tiffany BergeronWindows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access.CVE-2002-0051ACCEPTED2Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronACCEPTEDBuffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.CVE-2002-0150ACCEPTED3Microsoft Windows 2000Internet Explorer 5.5 Service Pack 2David ProulxInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.CVE-2002-0023ACCEPTED3Sun Solaris 7rpc.rwalldDavid ProulxFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.CVE-2002-0573ACCEPTED1Sun Solaris 7libnslDavid ProulxInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.CVE-2002-0391ACCEPTED1Sun Solaris 7cachefsdDavid ProulxBrian SobyINTERIMACCEPTEDBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.CAN-2002-0084ACCEPTED2Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronIIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.CVE-2000-0884ACCEPTED2Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronACCEPTEDBuffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.CVE-2002-0071ACCEPTED3Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronCross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session.CVE-2002-0074ACCEPTED2Sun Solaris 8whodoDavid ProulxBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.CAN-2001-1076ACCEPTED1Sun Solaris 7admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.CAN-2002-0088ACCEPTED1Microsoft Windows 2000Internet Explorer 5.01David ProulxMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."CVE-2003-1326ACCEPTED2Microsoft Windows 2000Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1, or Internet Explorer 5.01 Service Pack 2David ProulxInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.CVE-2002-0023ACCEPTED3Red Hat Linux 9EOGJay BealeINTERIMJay BealeACCEPTEDFormat string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display.CAN-2003-0165ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDFormat string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.CVE-2003-0081ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDHeap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2003-0159ACCEPTED1Sun Solaris 8rpc.yppasswddDavid ProulxBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.CVE-2001-0779ACCEPTED1Microsoft Windows 2000Internet Explorer 6.0David ProulxThe showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality."CVE-2003-1328ACCEPTED2Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronCross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.CVE-2002-0075ACCEPTED1Microsoft Windows 2000Remote Procedure Call (RPC)Tiffany BergeronChristine WalzerINTERIMACCEPTEDThe RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.CAN-2002-1561ACCEPTED2Sun Solaris 8admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.CAN-2002-0088ACCEPTED1Microsoft Windows NTRemote Access Service (RAS)Tiffany BergeronBuffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry.CVE-2002-0366ACCEPTED1Sun Solaris 7mibiisaDavid ProulxBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CAN-2002-0797ACCEPTED1Microsoft Windows 2000Remote Access Service (RAS)Tiffany BergeronBuffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry.CVE-2002-0366ACCEPTED2Microsoft Windows 2000Windows 2000Tiffany BergeronTiffany BergeronACCEPTEDINTERIMACCEPTEDIn Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.CVE-2002-0018ACCEPTED3Sun Solaris 7kcms_configureDavid Proulxkcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.CVE-2001-0594ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0David ProulxChristine WalzerINTERIMACCEPTEDCross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message.CAN-2003-0223ACCEPTED2Sun Solaris 8admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.CAN-2002-0089ACCEPTED1Sun Solaris 7admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.CAN-2002-0089ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDMultiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.CAN-2003-0356ACCEPTED1Sun Solaris 8dtspcdDavid ProulxBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commandsCVE-2001-0803ACCEPTED1Microsoft Windows 2000Microsoft SQL Server 2000Yi-Fang KohACCEPTEDJonathan BakerJonathan BakerINTERIMACCEPTEDAn SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account.CVE-2001-0344ACCEPTED2Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronACCEPTEDBuffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."CVE-2002-0147ACCEPTED3Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDMultiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors.CAN-2003-0357ACCEPTED1Sun Solaris 7dtspcdDavid ProulxBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commandsCVE-2001-0803ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDUnknown vulnerability in the DCERPC dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string.CAN-2003-0428ACCEPTED1Microsoft Windows 2000Windows 2000Tiffany Bergeronsmss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.CVE-2002-0367ACCEPTED2Microsoft Windows 2000Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1David ProulxInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.CVE-2002-0023ACCEPTED3Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronTiffany BergeronACCEPTEDINTERIMACCEPTEDDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.CVE-2001-0333ACCEPTED3Sun Solaris 8rpc.rwalldDavid ProulxFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.CVE-2002-0573ACCEPTED1Sun Solaris 7CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.CVE-2002-0678ACCEPTED1Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronCross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page.CVE-2002-0148ACCEPTED1Microsoft Windows 2000Microsoft SQL Server 2000Tiffany BergeronJonathan BakerINTERIMIngrid SkoogACCEPTEDVulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs.CAN-2001-0509ACCEPTED2Microsoft Windows 2000Microsoft SQL ServerYi-Fang KohIngrid SkoogINTERIMACCEPTEDBuffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CAN-2001-0879.CAN-2001-0542ACCEPTED2Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDThe OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.CAN-2003-0429ACCEPTED1Sun Solaris 8lbxproxyDavid ProulxBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.CVE-2002-0090ACCEPTED1Microsoft Windows NTSimple Network Management Protocol (SNMP)Harvey RubinovitzVulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.CAN-2002-0013ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDThe SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.CAN-2003-0430ACCEPTED1Microsoft Windows 2000Multiple UNC Provider (MUP)Tiffany BergeronBuffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request.CVE-2002-0151ACCEPTED2Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronINTERIMIngrid SkoogACCEPTEDIIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests.CVE-2001-0151ACCEPTED3Sun Solaris 7CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.CAN-2002-0677ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Harvey RubinovitzCross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page.CVE-2002-0148ACCEPTED1Sun Solaris 8mibiisaDavid ProulxBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CAN-2002-0797ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronACCEPTEDBuffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.CVE-2002-0149ACCEPTED3Microsoft Windows 2000Internet Explorer 6.0Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDThe zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability.CVE-2002-0078ACCEPTED4Sun Solaris 8cachefsdDavid ProulxBrian SobyBrian SobyINTERIMACCEPTEDBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.CAN-2002-0084ACCEPTED2Microsoft Windows 2000Internet Explorer 6.0David ProulxBuffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response.CAN-2002-0371ACCEPTED2Microsoft Windows 2000Internet Explorer 6.0Andrew ButtnerChristine WalzerINTERIMACCEPTEDMicrosoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.CVE-2002-0193ACCEPTED4Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDThe tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences.CAN-2003-0431ACCEPTED1Sun Solaris 7rpc.yppasswddDavid ProulxBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.CVE-2001-0779ACCEPTED1Microsoft Windows NTLocator serviceTiffany BergeronBuffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.CVE-2003-0003ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDEthereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors.CAN-2003-0432ACCEPTED1Red Hat Linux 9Ximian EvolutionJay BealeINTERIMJay BealeACCEPTEDThe try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow.CAN-2003-0128ACCEPTED1Red Hat Linux 9Ximian EvolutionJay BealeINTERIMJay BealeACCEPTEDXimian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.CAN-2003-0129ACCEPTED1Microsoft Windows 2000Windows 2000Tiffany BergeronBuffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.CAN-2003-0109ACCEPTED2Red Hat Linux 9Ximian EvolutionJay BealeINTERIMJay BealeACCEPTEDThe handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image.CAN-2003-0130ACCEPTED1Red Hat Linux 9GDMJay BealeINTERIMACCEPTEDGDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.CAN-2003-0547ACCEPTED1Red Hat Linux 9GDMJay BealeINTERIMACCEPTEDThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CAN-2003-0549.CAN-2003-0548ACCEPTED1Sun Solaris 7snmpdxDavid ProulxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CAN-2002-0796ACCEPTED1Microsoft Windows 2000ISA Server 2000Tiffany BergeronACCEPTEDCross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."CAN-2003-0526ACCEPTED1Microsoft Windows 2000SMB (Server Message Block)Tiffany BergeronACCEPTEDBuffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.CAN-2003-0345ACCEPTED1Sun Solaris 7kcms_serverDavid ProulxDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.CVE-2003-0027ACCEPTED1Microsoft Windows 2000SQL Server 2000Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDBuffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments.CAN-2002-0154ACCEPTED2Microsoft Windows 2000Windows 2000Tiffany BergeronTiffany BergeronACCEPTEDInternet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page.CAN-2003-0809ACCEPTED1Sun Solaris 7cachefsdDavid ProulxBrian SobyINTERIMACCEPTEDHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.CVE-2002-0033ACCEPTED2Microsoft Windows 2000Internet Explorer 6.0Andrew ButtnerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."CVE-2003-1326ACCEPTED2Microsoft Windows 2000Remote Procedure Call (RPC)Tiffany BergeronACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715.CAN-2003-0528ACCEPTED1Red Hat Linux 9GDMJay BealeINTERIMACCEPTEDThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name.CAN-2003-0549ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronACCEPTEDBuffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.CVE-2002-0071ACCEPTED3Sun Solaris 7xlockDavid ProulxHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.CVE-2001-0652ACCEPTED1Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronACCEPTEDBuffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.CVE-2002-0149ACCEPTED3Red Hat Linux 9GNU GhostscriptJay BealeINTERIMJay BealeACCEPTEDUnknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job.CAN-2003-0354ACCEPTED1Microsoft Windows 2000Windows Script Engine for JscriptDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDInteger overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.CAN-2003-0010ACCEPTED2Red Hat Linux 9GnuPGJay BealeINTERIMJay BealeACCEPTEDThe key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.CAN-2003-0255ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Virtual Machine (VM)Tiffany BergeronINTERIMACCEPTEDThe ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise."CAN-2003-0111ACCEPTED1Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronACCEPTEDBuffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.CVE-2002-0150ACCEPTED3Red Hat Linux 9GtkHTMLJay BealeINTERIMACCEPTEDGtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages.CAN-2003-0133ACCEPTED1Microsoft Windows NTSimple Network Management Protocol (SNMP)Matt BusbyINTERIMACCEPTEDThe default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities.CAN-2001-0046ACCEPTED1Microsoft Windows NTMicrosoft Transaction Server (MTS)Matt BusbyINTERIMACCEPTEDThe default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities.CAN-2001-0047ACCEPTED1Microsoft Windows 2000Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1Tiffany BergeronAndrew ButtnerACCEPTEDHTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.CVE-2001-0154ACCEPTED2Microsoft Windows NTWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.CAN-2003-0112ACCEPTED2Microsoft Windows 2000Internet Explorer 6.0Harvey RubinovitzInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."CVE-2002-1186ACCEPTED1Microsoft Windows 2000Simple Network Management Protocol (SNMP)Harvey RubinovitzVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.CAN-2002-0012ACCEPTED1Microsoft Windows NTMultiple UNC Provider (MUP)Tiffany BergeronBuffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request.CVE-2002-0151ACCEPTED1Microsoft Windows NTSMB (Server Message Block)Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.CAN-2003-0345ACCEPTED2Microsoft Windows 2000Windows ShellChristine WalzerBuffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled.CVE-2002-0070ACCEPTED1Red Hat Linux 9GtkHTMLJay BealeINTERIMJay BealeACCEPTEDgtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference.CAN-2003-0541ACCEPTED1Sun Solaris 8fs.auto, xfsDavid ProulxBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.CVE-2002-1317ACCEPTED2Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.CVE-2003-0020ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CAN-2003-0020.CAN-2003-0083ACCEPTED1Sun Solaris 7fs.auto, xfsDavid ProulxBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.CVE-2002-1317ACCEPTED2Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.CAN-2003-0132ACCEPTED1Microsoft Windows NTWindows NT 4.0Tiffany Bergeronsmss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.CVE-2002-0367ACCEPTED1Microsoft Windows NTWindows NT 4.0Tiffany BergeronIn Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.CVE-2002-0018ACCEPTED1Microsoft Windows NTSimple Network Management Protocol (SNMP)Harvey RubinovitzVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.CAN-2002-0012ACCEPTED1Red Hat Enterprise Linux 3OpenSSLJay BealeDRAFTINTERIMThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.CAN-2004-0975INTERIM0Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.CAN-2003-0192ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDThe prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.CAN-2003-0253ACCEPTED1Sun Solaris 8CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.CVE-2002-0678ACCEPTED1Sun Solaris 7CDEDavid ProulxBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.CVE-2002-0679ACCEPTED1Microsoft Windows 2000Internet Explorer 5.5Andrew ButtnerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."CVE-2003-1326ACCEPTED2Sun Solaris 7lbxproxyDavid ProulxBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.CVE-2002-0090ACCEPTED1Microsoft Windows NTInternet Information Server 4.0Tiffany BergeronACCEPTEDBuffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise."CVE-2002-0364ACCEPTED3Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.CAN-2003-0254ACCEPTED1Microsoft Windows XPAuthenticodeTiffany BergeronAndrew ButtnerAndrew ButtnerACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDThe Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval.CAN-2003-0660ACCEPTED2Microsoft Windows 2000Microsoft Word 2000Christine WalzerChristine WalzerChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document.CAN-2003-0664ACCEPTED2Microsoft Windows 2000SMB (Server Message Block)Christine WalzerChristine WalzerINTERIMACCEPTEDBuffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service".CAN-2002-0724ACCEPTED2Microsoft Windows 2000Certificate Enrollment ControlChristine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDUnknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML.CAN-2002-0699ACCEPTED2Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronIIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability.CVE-2000-0886ACCEPTED3Sun Solaris 8CDEDavid ProulxBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.CVE-2002-0679ACCEPTED1Red Hat Linux 9KDMJay BealeINTERIMACCEPTEDKDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.CAN-2003-0690ACCEPTED1Microsoft Windows NTRemote Procedure Call (RPC)Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.CAN-2003-0352ACCEPTED2Sun Solaris 8kcms_serverDavid ProulxDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.CVE-2003-0027ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronTiffany BergeronACCEPTEDBuffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.CVE-2001-0500ACCEPTED3Microsoft Windows 2000Windows 2000Tiffany BergeronTiffany BergeronACCEPTEDThe Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval.CAN-2003-0660ACCEPTED1Microsoft Windows 2000Remote Data Protocol (RDP)Tiffany BergeronChristine WalzerINTERIMACCEPTEDRemote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol."CAN-2002-0863ACCEPTED3Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPWindows Script Engine for JScript v5.6Tiffany BergeronDavid ProulxDavid ProulxACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDInteger overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.CAN-2003-0010ACCEPTED3Microsoft Windows XPWindows XPTiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMACCEPTEDBuffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.CAN-2003-0659ACCEPTED3Microsoft Windows 2000Microsoft Word 2000Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure."CAN-2002-1143ACCEPTED2Microsoft Windows 2000Internet Explorer 6.0Harvey RubinovitzACCEPTEDCross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource.CVE-2002-1187ACCEPTED1Microsoft Windows 2000Windows 2000Tiffany BergeronAndrew ButtnerACCEPTEDInternet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CAN-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe).CAN-2003-0838ACCEPTED1Microsoft Windows 2000Microsoft Word 2000Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.CVE-2002-1056ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerDRAFTINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Tiffany BergeronDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifiying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.CAN-2004-0549ACCEPTED2Microsoft Windows 2000Simple Network Management Protocol (SNMP)Tiffany BergeronBuffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CAN-2002-0012 and CAN-2002-0013, will be updated when more accurate information is available.CAN-2002-0053ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Harvey RubinovitzCross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.CVE-2002-0075ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerDRAFTINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED1Microsoft Windows 2000Messenger ServiceChristine WalzerACCEPTEDAndrew ButtnerACCEPTEDThe Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2003-0717ACCEPTED2Red Hat Linux 9KDMJay BealeINTERIMACCEPTEDKDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.CAN-2003-0692ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Ingrid SkoogDRAFTINTERIMACCEPTEDInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.CAN-2004-0566ACCEPTED1Microsoft Windows 2000Help and Support Center (HSC)Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDStack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URLCAN-2003-0711ACCEPTED3Microsoft Windows NTDirectXChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.CAN-2003-0346ACCEPTED2Microsoft Windows 2000Internet Explorer 5.5Harvey RubinovitzACCEPTEDCross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource.CVE-2002-1187ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDInteger overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CAN-2002-0391.CAN-2003-0028ACCEPTED1Microsoft Windows 2000Microsoft SQL ServerTiffany BergeronIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMIngrid SkoogACCEPTEDThe xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.CAN-2000-1081ACCEPTED2Microsoft Windows 2000SQL Server 2000Yi-Fang KohJonathan BakerINTERIMINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDMicrosoft SQL Server 7, 2000, and MSDE allows local users go gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerabilityCAN-2003-0230ACCEPTED3Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerDRAFTINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED1Microsoft Windows 2000Windows 2000Tiffany BergeronAndrew ButtnerACCEPTEDBuffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML formatter e-mail or web page.CAN-2003-0662ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Tiffany BergeronDRAFTINTERIMACCEPTEDThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifiying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.CAN-2004-0549ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDThe Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").CAN-2003-0082ACCEPTED1Microsoft Windows Server 2003Network News Transport Protocol (NNTP)Christine WalzerDRAFTINTERIMACCEPTEDThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.CAN-2004-0574ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDVersion 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.CAN-2003-0138ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDCertain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."CAN-2003-0139ACCEPTED1Microsoft Windows 2000Windows 2000Yi-Fang KohFormat string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service.CVE-2001-0879ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.CAN-2003-0127ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.CAN-2005-1211INTERIM0Microsoft Windows Server 2003SMB (Server Message Block)Jonathan BakerDRAFTINTERIMBuffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."CAN-2005-1206INTERIM0Red Hat Linux 9NetfilterJay BealeINTERIMJay BealeACCEPTEDThe connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.CAN-2003-0187ACCEPTED1Red Hat Linux 9NetfilterJay BealeINTERIMJay BealeACCEPTEDThe route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.CAN-2003-0244ACCEPTED1Microsoft Windows 2000Windows kernelChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.CAN-2003-0112ACCEPTED2Red Hat Enterprise Linux 3GaimJay BealeDRAFTGaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.CAN-2005-1934DRAFT0Microsoft Windows 2000Windows 2000Tiffany BergeronACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528.CAN-2003-0715ACCEPTED1Microsoft Windows XPClient Server Runtime System (CSRSS)Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDThe Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0551ACCEPTED1Microsoft Windows XPWindows XPTiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDThe Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2003-0717ACCEPTED2Microsoft Windows 2000Microsoft SQL Server 2000Yi-Fang KohIngrid SkoogIngrid SkoogINTERIMACCEPTEDBuffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection.CAN-2002-0056ACCEPTED2Microsoft Windows 2000Internet Explorer 6.0Harvey RubinovitzACCEPTEDCross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.CAN-2002-1217ACCEPTED1Microsoft Windows 2000SMB Signing (Server Message Block)Christine WalzerACCEPTEDThe SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. by modifying group policy information sent from a domain controller.CVE-2002-1256ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.CAN-2003-0246ACCEPTED1Microsoft Windows XPWindows Media Player for Windows XPTiffany BergeronACCEPTEDMicrosoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player".CVE-2002-0372ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDUnknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").CAN-2003-0247ACCEPTED1Microsoft Windows XPWindows Media Player for Windows XPTiffany BergeronACCEPTEDBuffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file.CVE-2001-0719ACCEPTED1Microsoft Windows 2000SQL Server 2000Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDBuffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure."CAN-2002-0624ACCEPTED2Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.CAN-2003-0248ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.6Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDHeap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.CVE-2002-1142ACCEPTED2Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.CAN-2003-0364ACCEPTED1Microsoft Windows 2000Remote Procedure Call (RPC)Tiffany BergeronACCEPTEDBuffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.CAN-2003-0352ACCEPTED1Microsoft Windows 2000Simple Network Management Protocol (SNMP)Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDVulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.CAN-2002-0013ACCEPTED2Microsoft Windows 2000SQL Server 2000Yi-Fang KohJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDMicrosoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipeCAN-2003-0231ACCEPTED3Microsoft Windows 2000SQL Server 2000Yi-Fang KohJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDMicrosoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflowCAN-2003-0232ACCEPTED3Red Hat Linux 9/proc/tty/driver/serialJay BealeINTERIMJay BealeACCEPTED/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.CAN-2003-0461ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Ingrid SkoogDRAFTINTERIMACCEPTEDInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.CAN-2004-0566ACCEPTED1Microsoft Windows 2000Microsoft FrontPage Server Extensions 2000Tiffany BergeronTiffany BergeronINTERIMACCEPTEDUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.CAN-2003-0824ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDA race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).CAN-2003-0462ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd.CAN-2003-0464ACCEPTED1Microsoft Windows 2000SQL Server 2000Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDBuffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query.CAN-2002-0641ACCEPTED2Microsoft Windows NTWindows NT 4.0Tiffany BergeronINTERIMACCEPTEDThe getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method.CAN-2003-0525ACCEPTED2Microsoft Windows XPWindows Media Player for Windows XPTiffany BergeronACCEPTEDDirectory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.CAN-2003-0228ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Ingrid SkoogDRAFTINTERIMACCEPTEDInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.CAN-2004-0566ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.CAN-2003-0476ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.CAN-2003-0501ACCEPTED1Microsoft Windows XPMicrosoft Color Management Module Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1219DRAFT0Microsoft Windows XPMicrosoft Windows Workstation ServiceAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.CAN-2003-0812ACCEPTED2Microsoft Windows 2000Internet Explorer 5.5Harvey RubinovitzACCEPTEDCross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.CAN-2002-1217ACCEPTED1Microsoft Windows 2000Network News Transport Protocol (NNTP)Christine WalzerACCEPTEDMemory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts.CVE-2001-0543ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Christine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2003-0820ACCEPTED2Microsoft Windows 2000Windows 2000Tiffany BergeronACCEPTEDChristine WalzerINTERIMINTERIMACCEPTEDBuffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.CAN-2003-0659ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED1Red Hat Enterprise Linux 3phpJay BealeDRAFTRace condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CAN-2005-1759.CAN-2005-1751DRAFT0Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED2Red Hat Enterprise Linux 3phpJay BealeDRAFTPEAR XML_RPC 1.3.0 and earlier, as used in products such as WordPress, Serendipity, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.CAN-2005-1921DRAFT0Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED1Microsoft Windows XPMicrosoft FrontPage Server Extensions 2000Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request.CAN-2003-0822ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft FrontPage Server Extensions 2002Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request.CAN-2003-0822ACCEPTED2Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft SharePoint Team ServicesAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request.CAN-2003-0822ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronChristine WalzerINTERIMACCEPTEDThe ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page.CAN-2003-0225ACCEPTED2Microsoft Windows 2000HTML Help ActiveX ControlChristine WalzerAndrew ButtnerACCEPTEDBuffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.CAN-2002-0693ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.CAN-2003-0550ACCEPTED1Microsoft Windows Server 2003HTML Help FacilityAndrew ButtnerDRAFTINTERIMInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.CAN-2005-1208INTERIM0Red Hat Enterprise Linux 3gzipJay BealeDRAFTINTERIMDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.CAN-2005-1228INTERIM0Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.CAN-2003-0551ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDLinux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.CAN-2003-0552ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDInteger signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.CAN-2003-0619ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CAN-2003-0700.CAN-2003-0699ACCEPTED1Microsoft Windows 2000Internet Explorer 6.0Harvey RubinovitzACCEPTEDInternet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods."CAN-2002-1254ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.CAN-2003-0814ACCEPTED1Microsoft Windows 2000Internet Explorer 6.0Harvey RubinovitzACCEPTEDInternet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."CVE-2002-1185ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CAN-2003-0699.CAN-2003-0700ACCEPTED1Microsoft Windows NTSimple Network Management Protocol (SNMP)Matt BusbyMatthew BurtonDRAFTINTERIMACCEPTEDBuffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CAN-2002-0012 and CAN-2002-0013, will be updated when more accurate information is available.CAN-2002-0053ACCEPTED1Microsoft Windows 2000HTML Help FacilityChristine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDThe HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File."CVE-2002-0694ACCEPTED2Microsoft Windows 2000ISA Server 2000Tiffany BergeronACCEPTEDThe Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745.CAN-2003-0110ACCEPTED0Microsoft Windows Server 2003Windows ShellHarvey RubinovitzDRAFTINTERIMACCEPTEDThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.CAN-2005-0063ACCEPTED1Microsoft Windows 2000Internet Explorer 5.5Harvey RubinovitzACCEPTEDInternet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods."CAN-2002-1254ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED1Red Hat Linux 9KonquerorJay BealeINTERIMACCEPTEDKDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.CAN-2003-0459ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED1Red Hat Linux 9LPRngJay BealeINTERIMJay BealeACCEPTEDpsbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.CAN-2003-0136ACCEPTED1Microsoft Windows 2000Telnet protocolChristine WalzerChristine WalzerINTERIMACCEPTEDBuffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options.CVE-2002-0020ACCEPTED2Microsoft Windows 2000Microsoft Word 2002Ingrid SkoogDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMicrosoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies toCVE-2002-1056ACCEPTED2Red Hat Linux 9lvJay BealeINTERIMJay BealeACCEPTEDlv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories.CAN-2003-0188ACCEPTED1Red Hat Linux 9MuttJay BealeINTERIMACCEPTEDBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.CAN-2003-0140ACCEPTED1Red Hat Linux 9MySQLJay BealeINTERIMJay BealeACCEPTEDDouble-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.CVE-2003-0073ACCEPTED1Microsoft Windows XPMicrosoft Color Management Module Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1219DRAFT0Red Hat Linux 9MySQLJay BealeINTERIMJay BealeACCEPTEDMySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart.CAN-2003-0150ACCEPTED1Red Hat Linux 9nfs-utilsJay BealeINTERIMJay BealeACCEPTEDOff-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.CAN-2003-0252ACCEPTED1Microsoft Windows 2000Internet Explorer 6.0Harvey RubinovitzACCEPTEDInternet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading."CVE-2002-1188ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTEDOpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.CAN-2003-0190ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTED"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CAN-2003-0693 and CAN-2003-0695.CAN-2003-0682ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTEDA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CAN-2003-0695.CAN-2003-0693ACCEPTED1Sun Solaris 9BindBrian SobyDRAFTINTERIMACCEPTEDBIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.CVE-2002-1220ACCEPTED1Microsoft Windows XPWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED1Microsoft Windows 2000Utilities Manager/Windows MessagingChristine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDThe control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function.CAN-2003-0350ACCEPTED2Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTEDMultiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CAN-2003-0693.CAN-2003-0695ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED2Red Hat Linux 9OpenSSLJay BealeINTERIMJay BealeJay BealeACCEPTEDThe SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."CAN-2003-0131ACCEPTED1Microsoft Windows 2000HTML Help FacilityAndrew ButtnerDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1208INTERIM0Red Hat Linux 9OpenSSLJay BealeINTERIMJay BealeJay BealeACCEPTEDOpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).CAN-2003-0147ACCEPTED1Microsoft Windows 2000Small Business Server 2000Jonathan BakerDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1206INTERIM0Microsoft Windows 2000ISA Server 2000Christine WalzerDRAFTINTERIMMicrosoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter.CAN-2005-1216INTERIM0Red Hat Linux 9pam_smbJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.CAN-2003-0686ACCEPTED1Red Hat Linux 9CGI.pmJay BealeINTERIMACCEPTEDCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.CAN-2003-0615ACCEPTED1Microsoft Windows 2000Internet Explorer 5.01Harvey RubinovitzACCEPTEDInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."CVE-2002-1186ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.CAN-2003-0815ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Andrew ButtnerINTERIMACCEPTEDMicrosoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed.CAN-2003-0904ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Internet Security and Acceleration Server 2000David ProulxINTERIMACCEPTEDBuffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CAN-2003-0819ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Microsoft Internet Explorer 6 Service Pack 1Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.CAN-2003-0816ACCEPTED1Microsoft Windows 2000Internet Information Server 5.0Tiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun."CAN-2003-0224ACCEPTED2Microsoft Windows 2000Microsoft SQL Server 2000Matthew BurtonMatthew BurtonMatthew BurtonDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension.CVE-2002-0186ACCEPTED2Red Hat Linux 9phpJay BealeINTERIMJay BealeACCEPTEDCross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.CAN-2003-0442ACCEPTED1Microsoft Windows 2000Microsoft SQL Server 2000Matthew BurtonMatthew BurtonDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension."CVE-2002-0186ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED1Microsoft Windows 2000Remote Procedure Call (RPC)Tiffany BergeronACCEPTEDThe RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.CAN-2003-0605ACCEPTED1Microsoft Windows 2000Internet Explorer 5.5Harvey RubinovitzACCEPTEDInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."CVE-2002-1186ACCEPTED1Red Hat Linux 9pineJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.CAN-2003-0720ACCEPTED1Microsoft Windows NTRemote Access Service (RAS)Matt BusbyINTERIMACCEPTEDThe default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.CAN-2001-0045ACCEPTED1Red Hat Linux 9pineJay BealeINTERIMJay BealeACCEPTEDInteger signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.CAN-2003-0721ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Ingrid SkoogDRAFTINTERIMACCEPTEDInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.CAN-2004-0566ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerDRAFTINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Andrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Ingrid SkoogDRAFTINTERIMACCEPTEDInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.CAN-2004-0566ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED2Microsoft Windows XPMicrosoft Internet Explorer 6Tiffany BergeronDRAFTINTERIMACCEPTEDThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifiying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.CAN-2004-0549ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED1Red Hat Linux 9PostfixJay BealeINTERIMACCEPTEDPostfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.CAN-2003-0468ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Data Access Compnents 2.5Christine WalzerINTERIMACCEPTEDBuffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.CVE-2003-0903ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."CAN-2003-1025ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED1Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571.CAN-2004-0901ACCEPTED1Microsoft Windows 2000Internet Explorer 5.5Harvey RubinovitzACCEPTEDInternet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."CVE-2002-1185ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Microsoft Internet Explorer 6 Service Pack 1Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED1Red Hat Linux 9PostfixJay BealeINTERIMACCEPTEDThe address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.CAN-2003-0540ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED1Red Hat Linux 9smbdJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.CAN-2003-0085ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Data Access Compnents 2.6Christine WalzerINTERIMACCEPTEDBuffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.CVE-2003-0903ACCEPTED1Red Hat Linux 9SambaJay BealeINTERIMJay BealeACCEPTEDThe code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.CAN-2003-0086ACCEPTED1Sun Solaris 7XsunBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variableCVE-2001-0422ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED1Red Hat Linux 9SambaJay BealeINTERIMJay BealeACCEPTEDMultiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CAN-2003-0201.CAN-2003-0196ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.CAN-2003-0817ACCEPTED2Red Hat Linux 9Samba, Samba-TNGJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.CAN-2003-0201ACCEPTED1Red Hat Linux 9semi MIME libraryJay BealeINTERIMJay BealeACCEPTEDThe (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.CAN-2003-0440ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.CAN-2003-0694ACCEPTED1Microsoft Windows XPWindows ShellHarvey RubinovitzDRAFTINTERIMACCEPTEDThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.CAN-2005-0063ACCEPTED1Microsoft Windows 2000Microsoft Windows Workstation ServiceTiffany BergeronACCEPTEDStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.CAN-2003-0812ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Virtual Machine (VM)Tiffany BergeronINTERIMACCEPTEDTwo vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error.CAN-2002-1258ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 97Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMIngrid SkoogMicrosoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2003-0820INTERIM1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 98Andrew ButtnerINTERIMACCEPTEDMicrosoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2003-0820ACCEPTED1Microsoft Windows Server 2003Windows ShellHarvey RubinovitzDRAFTINTERIMACCEPTEDThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.CAN-2005-0063ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED2Microsoft Windows NTMicrosoft FrontPage Server Extensions 2000Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.CAN-2003-0824ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.CAN-2004-1351ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMSN MessengerChristine WalzerDRAFTINTERIMACCEPTEDMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.CAN-2004-0597ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.CAN-2003-0681ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDThe DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.CAN-2003-0688ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.CAN-2003-0694ACCEPTED1Microsoft Windows Server 2003Services for UNIXJonathan BakerDRAFTINTERIMThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.CAN-2005-1205INTERIM0Microsoft Windows XPMicrosoft FrontPage Server Extensions 2000Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.CAN-2003-0824ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6.0 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.CVE-2002-0648INTERIM0Red Hat Linux 9SquirrelMailJay BealeINTERIMJay BealeACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.CAN-2003-0160ACCEPTED1Red Hat Linux 9unzipJay BealeINTERIMJay BealeACCEPTEDDirectory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.CAN-2003-0282ACCEPTED1Red Hat Enterprise Linux 3sysreportJay BealeDRAFTsysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges.CAN-2005-1760DRAFT0Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft FrontPage Server Extensions 2002Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.CAN-2003-0824INTERIM1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."CAN-2003-1027ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 2Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED1Red Hat Linux 9up2dateJay BealeINTERIMJay BealeACCEPTEDup2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.CAN-2003-0546ACCEPTED1Red Hat Linux 9vsftpdJay BealeINTERIMJay BealeACCEPTEDvsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended.CAN-2003-0135ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2000Christine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.CAN-2003-0821ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED1Microsoft Windows NTMDAC 2.8Ingrid SkoogDRAFTINTERIMACCEPTEDThe License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."CAN-2005-0050ACCEPTED1Red Hat Enterprise Linux 3mikmodJay BealeDRAFTINTERIMBuffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename.CAN-2003-0427INTERIM0Microsoft Windows 2000Microsoft ASN.1 LibraryAndrew ButtnerINTERIMACCEPTEDMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.CAN-2003-0818ACCEPTED1Red Hat Linux 9xinetdJay BealeINTERIMJay BealeJay BealeACCEPTEDMemory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.CAN-2003-0211ACCEPTED1Red Hat Linux 9xpdfJay BealeINTERIMACCEPTEDVarious PDF viewers including Adobe Acrobat 5.06 and Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.CAN-2003-0434ACCEPTED1Red Hat Linux 9ypservJay BealeINTERIMJay BealeACCEPTEDypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block.CAN-2003-0251ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2003-0820ACCEPTED2Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 97Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMMicrosoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.CAN-2003-0821INTERIM1Red Hat Enterprise Linux 3postgresqlJay BealeDRAFTINTERIMPostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."CAN-2005-1409INTERIM0Microsoft Windows NTNetDDE AgentIngrid SkoogDRAFTINTERIMACCEPTEDNetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."CVE-2002-1230ACCEPTED1Microsoft Windows 2000Microsoft AgentHarvey RubinovitzDRAFTHarvey RubinovitzINTERIMMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.CAN-2005-1214INTERIM0Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDReview blocked recipient list1.2.7ACCEPTED1Corresponds to item 1.2.7 in the Exchange 2003 BenchmarkMicrosoft Windows XPMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMJonathan BakerIngrid SkoogACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901CAN-2004-0571ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDReview the global accept and deny lists.1.2.1ACCEPTED1Corresponds to item 1.2.1 in the Exchange 2003 BenchmarkMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED1Microsoft Windows 2000Internet Explorer 5.5Harvey RubinovitzACCEPTEDInternet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading."CVE-2002-1188ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2002Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.CAN-2003-0821ACCEPTED2Microsoft Windows NTMicrosoft FrontPage Server Extensions 2000Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request.CAN-2003-0822ACCEPTED1Microsoft Windows 2000Windows Internet Naming Service (WINS)Andrew ButtnerINTERIMACCEPTEDThe Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.CVE-2003-0825ACCEPTED1Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."CAN-2005-0055ACCEPTED1Red Hat Enterprise Linux 3ImageMagickJay BealeDRAFTINTERIMHeap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.CAN-2005-1275INTERIM0Microsoft Windows NTWindows Animated CursorChristine WalzerDRAFTINTERIMACCEPTEDThe Windows Animated Cursor (ANI) in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zeroCAN-2004-1305ACCEPTED1Microsoft Windows 2000Hyperlink Object LibraryChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0057ACCEPTED1Red Hat Enterprise Linux 3gftpJay BealeDRAFTINTERIMDirectory traversal vulnerability in gftp 2.0.18 and earlier for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.CAN-2005-0372INTERIM0Microsoft Windows Server 2003Web Client ServiceMatthew BurtonDRAFTBuffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.CAN-2005-1207DRAFT0Microsoft Windows XPMicrosoft Internet Explorer 6Microsoft Internet Explorer 6 Service Pack 1Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027.CAN-2003-0823ACCEPTED1Microsoft Windows 2000Microsoft FrontPage Server Extensions 2000Tiffany BergeronAndrew ButtnerINTERIMACCEPTEDBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request.CAN-2003-0822ACCEPTED1Red Hat Enterprise Linux 3GaimJay BealeDRAFTGaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name.CAN-2005-1269DRAFT0Microsoft Windows XPMicrosoft Internet Explorer 6Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED1Red Hat Enterprise Linux 3bzip2Jay BealeDRAFTbzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").CAN-2005-1260DRAFT0Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Data Access Compnents 2.7Christine WalzerINTERIMACCEPTEDBuffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.CVE-2003-0903ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft SharePoint Team ServicesAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.CAN-2003-0824INTERIM1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDReview whether anonymous HTTP access is allowed2.1.2ACCEPTED1Corresponds to item 2.1.2 in the Exchange 2003 BenchmarkMicrosoft Windows Server 2003Microsoft Color Management Module Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1219DRAFT0Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CAN-2005-1211INTERIM0Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Data Access Compnents 2.8Christine WalzerINTERIMACCEPTEDBuffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.CVE-2003-0903ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.CVE-2002-0648INTERIM0Microsoft Windows 2000Client Server Runtime System (CSRSS)Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDThe Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0551ACCEPTED1Microsoft Windows 2000Local Security Authority Subsystem Service (LSASS)Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed programCAN-2004-0894ACCEPTED2Microsoft Windows XPWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debuggerCAN-2003-0112ACCEPTED2Microsoft Windows Server 2003Microsoft Internet Explorer 6Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CAN-2005-1211INTERIM0Microsoft Windows 2000Services for UNIXJonathan BakerDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1205INTERIM0Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."CAN-2005-0554ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Windows Script Engine for JScript v5.1Tiffany BergeronDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDInteger overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.CAN-2003-0010ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Windows Script Engine for JScript v5.5Tiffany BergeronDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDInteger overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.CAN-2003-0010ACCEPTED2Microsoft Windows NTMicrosoft ASN.1 LibraryAndrew ButtnerINTERIMACCEPTEDMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.CAN-2003-0818ACCEPTED1Microsoft Windows XPMicrosoft ASN.1 LibraryAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.CAN-2003-0818ACCEPTED2Microsoft Windows Server 2003Microsoft ASN.1 LibraryAndrew ButtnerINTERIMACCEPTEDMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.CAN-2003-0818ACCEPTED1Microsoft Windows NTWindows Internet Naming Service (WINS)Andrew ButtnerINTERIMACCEPTEDThe Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.CVE-2003-0825ACCEPTED1Microsoft Windows NTWindows Internet Naming Service (WINS)Andrew ButtnerINTERIMACCEPTEDThe Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.CVE-2003-0825ACCEPTED1Microsoft Windows Server 2003Windows Internet Naming Service (WINS)Andrew ButtnerINTERIMACCEPTEDThe Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.CVE-2003-0825ACCEPTED1Red Hat Linux 9PWLibJay BealeMatt BusbyACCEPTEDMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CAN-2004-0097ACCEPTED1Red Hat Linux 9netpbmJay BealeMatt BusbyACCEPTEDnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.CVE-2003-0924ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."CAN-2003-1026ACCEPTED2Red Hat Linux 9XFree86Jay BealeMatt BusbyACCEPTEDBuffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084 and CAN-2004-0106.CAN-2004-0083ACCEPTED1Red Hat Linux 9XFree86Jay BealeMatt BusbyACCEPTEDBuffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083 and CAN-2004-0106.CAN-2004-0084ACCEPTED1Red Hat Linux 9XFree86Jay BealeMatt BusbyACCEPTEDMultiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CAN-2004-0083 and CAN-2004-0084.CAN-2004-0106ACCEPTED1Red Hat Enterprise Linux 3netpbmJay BealeMatt BusbyACCEPTEDnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.CVE-2003-0924ACCEPTED1Red Hat Linux 9MuttJay BealeACCEPTEDBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.CVE-2004-0078ACCEPTED1Red Hat Linux 9MailmanJay BealeACCEPTEDCross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities.CAN-2003-0965ACCEPTED1Red Hat Linux 9MailmanJay BealeACCEPTEDCross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users.CAN-2003-0992ACCEPTED1Red Hat Linux 9GaimJay BealeACCEPTEDMultiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.CAN-2004-0006ACCEPTED1Red Hat Linux 9GaimJay BealeACCEPTEDBuffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0007ACCEPTED1Red Hat Linux 9GaimJay BealeACCEPTEDInteger overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.CAN-2004-0008ACCEPTED1Red Hat Linux 9slocateJay BealeMatt BusbyACCEPTEDHeap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used.CAN-2003-0848ACCEPTED1Red Hat Linux 9Midnight CommanderJay BealeMatt BusbyACCEPTEDStack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion.CAN-2003-1023ACCEPTED1Red Hat Linux 9KDEJay BealeINTERIMACCEPTEDKonqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.CAN-2003-0592ACCEPTED1Red Hat Enterprise Linux 3mremapJay BealeMatt BusbyACCEPTEDThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.CVE-2004-0077ACCEPTED1Red Hat Enterprise Linux 3PWLibJay BealeMatt BusbyACCEPTEDMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CAN-2004-0097ACCEPTED1Red Hat Enterprise Linux 3Samba 3.0.0 and 3.0.1Jay BealeMatt BusbyACCEPTEDThe mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.CVE-2004-0082ACCEPTED1Red Hat Linux 9mod_pythonJay BealeMatt BusbyACCEPTEDUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.CAN-2003-0973ACCEPTED1Red Hat Enterprise Linux 3XFree86Jay BealeMatt BusbyMatt BusbyACCEPTEDBuffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084 and CAN-2004-0106.CAN-2004-0083ACCEPTED1Red Hat Enterprise Linux 3XFree86Jay BealeMatt BusbyMatt BusbyACCEPTEDBuffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083 and CAN-2004-0106.CAN-2004-0084ACCEPTED1Red Hat Enterprise Linux 3XFree86Jay BealeMatt BusbyACCEPTEDMultiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CAN-2004-0083 and CAN-2004-0084.CAN-2004-0106ACCEPTED1Red Hat Enterprise Linux 3XMLSoft Libxml2Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDBuffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml2 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.CAN-2004-0110ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."CAN-2004-0003ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.CAN-2004-0010ACCEPTED1Red Hat Linux 9Vicam USB driverJay BealeMatt BusbyACCEPTEDThe Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.CVE-2004-0075ACCEPTED1Red Hat Linux 9mremapJay BealeMatt BusbyACCEPTEDThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.CVE-2004-0077ACCEPTED1Red Hat Enterprise Linux 3MuttJay BealeACCEPTEDMatt BusbyBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.CVE-2004-0078ACCEPTED1Red Hat Linux 9mod_pythonJay BealeMatt BusbyACCEPTEDUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.CAN-2003-0973ACCEPTED1Microsoft Windows 2000Windows Media ServicesTiffany BergeronINTERIMUnknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets.CVE-2003-0905INTERIM0Microsoft Windows 95Microsoft OutlookAndrew ButtnerINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDArgument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programsCVE-2004-0121ACCEPTED2Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003MSN MessengerChristine WalzerINTERIMAndrew ButtnerACCEPTEDMicrosoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files.CVE-2004-0122ACCEPTED1Red Hat Enterprise Linux 3gdk-pixbufJay BealeINTERIMMatt BusbyACCEPTEDgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.CVE-2004-0111ACCEPTED1Red Hat Linux 9gdk-pixbufJay BealeINTERIMMatt BusbyACCEPTEDgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.CVE-2004-0111ACCEPTED1Red Hat Linux 9tcpdumpJay BealeACCEPTEDtcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CAN-2004-0057.CAN-2003-0989ACCEPTED1Red Hat Linux 9sysstatJay BealeMatt BusbyINTERIMACCEPTEDThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CAN-2004-0108.CAN-2004-0107ACCEPTED1Red Hat Linux 9tcpdumpJay BealeACCEPTEDThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.CAN-2004-0055ACCEPTED1Red Hat Linux 9tcpdumpJay BealeACCEPTEDThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CAN-2003-0989.CAN-2004-0057ACCEPTED1Red Hat Enterprise Linux 3tcpdumpJay BealeACCEPTEDtcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CAN-2004-0057.CAN-2003-0989ACCEPTED1Red Hat Enterprise Linux 3tcpdumpJay BealeACCEPTEDThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.CAN-2004-0055ACCEPTED1Red Hat Enterprise Linux 3tcpdumpJay BealeACCEPTEDMatt BusbyThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CAN-2003-0989.CAN-2004-0057ACCEPTED1Red Hat Linux 9CVS serverJay BealeMatt BusbyACCEPTEDCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.CAN-2003-0977ACCEPTED1Red Hat Linux 9EtherealJay BealeMatt BusbyACCEPTEDThe SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets.CAN-2003-1012ACCEPTED1Red Hat Linux 9TetherealJay BealeMatt BusbyACCEPTEDThe Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.CAN-2003-1013ACCEPTED1Red Hat Linux 9KDE Personal Information Management (kdepim)Jay BealeACCEPTEDBuffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.CVE-2003-0988ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.CAN-2003-0984ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.CVE-2003-0985ACCEPTED1Red Hat Enterprise Linux 3nfs-utils packagesJay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.CAN-2004-0154ACCEPTED1Red Hat Enterprise Linux 3SysstatJay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CAN-2004-0108.CAN-2004-0107ACCEPTED1Red Hat Linux 9httpdJay BealeMatt BusbyINTERIMACCEPTEDMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.CAN-2003-0542ACCEPTED1Red Hat Enterprise Linux 3ApacheJay BealeMatt BusbyINTERIMACCEPTEDMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.CAN-2003-0542ACCEPTED1Red Hat Enterprise Linux 3KDE Personal Information Management (kdepim)Jay BealeINTERIMMatt BusbyACCEPTEDBuffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.CVE-2003-0988ACCEPTED1Red Hat Enterprise Linux 3CVS serverJay BealeMatt BusbyINTERIMACCEPTEDCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.CAN-2003-0977ACCEPTED1Red Hat Enterprise Linux 3Linux kernelMatt BusbyMatt BusbyINTERIMACCEPTEDThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.CVE-2003-0985ACCEPTED1Red Hat Enterprise Linux 3Linux kernelMatt BusbyMatt BusbyINTERIMACCEPTEDUnknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.CVE-2004-0001ACCEPTED1Red Hat Enterprise Linux 3Net-SNMPMatt BusbyMatt BusbyINTERIMACCEPTEDNet-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed.CAN-2003-0935ACCEPTED1Red Hat Enterprise Linux 3OpenSSLMatt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.CAN-2004-0079ACCEPTED1Red Hat Enterprise Linux 3OpenSSLMatt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.CAN-2004-0081ACCEPTED1Red Hat Linux 9mozillaJay BealeINTERIMACCEPTEDMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.CAN-2003-0564ACCEPTED1Red Hat Linux 9mozillaJay BealeINTERIMACCEPTEDMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.CAN-2003-0594ACCEPTED1Red Hat Linux 9mozillaJay BealeINTERIMACCEPTEDMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.CVE-2004-0191ACCEPTED1Red Hat Enterprise Linux 3libxml2Jay BealeJay BealeINTERIMACCEPTEDBuffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml2 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.CAN-2004-0110ACCEPTED1Red Hat Enterprise Linux 3httpdJay BealeJay BealeINTERIMACCEPTEDMemory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.CVE-2004-0113ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeINTERIMACCEPTEDThe "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.CVE-2004-0189ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeJay BealeINTERIMACCEPTEDMultiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.CAN-2004-0176ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeJay BealeINTERIMACCEPTEDThe dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.CAN-2004-0365ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeJay BealeINTERIMACCEPTEDEthereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.CAN-2004-0367ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Outlook ExpressAndrew ButtnerINTERIMACCEPTEDThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."CAN-2004-0380ACCEPTED1Microsoft Windows 2000Local Security Authority Subsystem Service (LSASS)Tiffany BergeronINTERIMACCEPTEDStack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.CAN-2003-0533ACCEPTED1Microsoft Windows Server 2003Secure Sockets Layer (SSL)David ProulxINTERIMACCEPTEDThe Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.CAN-2004-0120ACCEPTED1Microsoft Windows XPSecure Sockets Layer (SSL)David ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.CAN-2004-0120ACCEPTED2Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeJay BealeJay BealeINTERIMACCEPTEDMultiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.CAN-2004-0176ACCEPTED1Microsoft Windows XPPrivate Communications Transport (PCT)Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.CAN-2003-0719ACCEPTED2Microsoft Windows 2000Local Descriptor Table (LDT)Jonathan BakerINTERIMACCEPTEDThe NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.CAN-2003-0910ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeJay BealeJay BealeINTERIMACCEPTEDThe dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.CAN-2004-0365ACCEPTED1Microsoft Windows 2000Secure Sockets Layer (SSL)David ProulxINTERIMACCEPTEDThe Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.CAN-2004-0120ACCEPTED1Microsoft Windows 2000Remote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDA multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CAN-2003-0352 (Blaster/Nachi), CAN-2003-0715, and CAN-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.CAN-2003-0813ACCEPTED1Microsoft Windows Server 2003Remote Procedure Call (RPC)Christine WalzerA multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CAN-2003-0352 (Blaster/Nachi), CAN-2003-0715, and CAN-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.CAN-2003-0813DRAFT0Microsoft Windows NTWindows logon process (winlogon)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.CAN-2003-0806ACCEPTED1Microsoft Windows 2000Windows logon process (winlogon)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.CAN-2003-0806ACCEPTED1Microsoft Windows NTEnhanced Metafile (EMF)Windows Metafile (WMF)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1allows remote attackers to execute arbitrary code via a malformed WNF or EMF image.CAN-2003-0906ACCEPTED1Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDStack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.CAN-2003-0533ACCEPTED2Microsoft Windows XPRemote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDA multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CAN-2003-0352 (Blaster/Nachi), CAN-2003-0715, and CAN-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.CAN-2003-0813ACCEPTED1Microsoft Windows Server 2003COM Internet ServicesChristine WalzerChristine WalzerDRAFTINTERIMACCEPTEDWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."CAN-2005-0047ACCEPTED1Red Hat Linux 9OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.CAN-2004-0081ACCEPTED1Microsoft Windows NTPrivate Communications Transport (PCT)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.CAN-2003-0719ACCEPTED1Microsoft Windows Server 2003Help and Support Center (HSC)Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDHelp and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.CAN-2003-0907ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeJay BealeJay BealeINTERIMACCEPTEDEthereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.CAN-2004-0367ACCEPTED1Microsoft Windows Server 2003Microsoft AgentHarvey RubinovitzDRAFTHarvey RubinovitzINTERIMMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. CAN-2005-1214INTERIM0Microsoft Windows 2000H.323Jonathan BakerINTERIMACCEPTEDUnknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.CAN-2004-0117ACCEPTED1Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDIIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.CVE-2001-0507ACCEPTED1Microsoft Windows NTLocal Descriptor Table (LDT)Jonathan BakerINTERIMACCEPTEDThe NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.CAN-2003-0910ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDIIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerabilityCVE-2001-0507ACCEPTED2Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDIn IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.CVE-1999-0278ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMJay BealeACCEPTEDMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.CAN-2003-0564ACCEPTED1Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDBuffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.CVE-1999-0874ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDIIS HTTP service uses Integrated Windows authentication.2.1.4ACCEPTED1Corresponds to item 2.1.4 in the Exchange 2003 BenchmarkRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMJay BealeACCEPTEDMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.CAN-2003-0594ACCEPTED1Microsoft Windows Server 2003Local Security Authority Subsystem Service (LSASS)Andrew ButtnerINTERIMACCEPTEDStack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.CAN-2003-0533ACCEPTED1Microsoft Windows 98Microsoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5, Internet Explorer 5.5 Service Pack 1Tiffany BergeronINTERIMACCEPTEDInternet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs.CVE-2001-0002ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability."CVE-2001-0727ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDBuffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page.CAN-2003-0344ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDMicrosoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability.CVE-2002-0190ACCEPTED2Microsoft Windows Server 2003Microsoft ASN.1 LibraryDavid ProulxINTERIMACCEPTEDDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0123ACCEPTED1Microsoft Windows 98Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDBuffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.CVE-2002-0022ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet Explorer 5.5Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDBuffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields.CAN-2003-0113ACCEPTED2Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDIIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability.CVE-2000-0778ACCEPTED1Red Hat Enterprise Linux 3OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.CAN-2004-0112ACCEPTED1Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDUnknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."CAN-2002-0869ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDUnknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."CAN-2002-0869ACCEPTED2Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDA typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability."CVE-2002-1180ACCEPTED2Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDThe showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.CAN-1999-0736ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDMicrosoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled.CAN-2003-0226ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDReview block-list Exception list entries1.2.3ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDThe logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.CAN-2003-0227ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMJay BealeACCEPTEDMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.CVE-2004-0191ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDBuffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.CAN-2003-0349ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDInteger overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or executee arbitrary code via the MCAST_MSFILTER socket option.CAN-2004-0424ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDBuffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x , allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.CAN-2004-0109ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.CVE-2004-0189ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectorsCAN-2002-1181ACCEPTED2Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors.CAN-2002-1181ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.CAN-2004-0155ACCEPTED1Microsoft Windows Server 2003H.323Jonathan BakerINTERIMACCEPTEDUnknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.CAN-2004-0117ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDKAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.CAN-2004-0164ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability."CAN-2003-0309ACCEPTED2Microsoft Windows 2000Private Communications Transport (PCT)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.CAN-2003-0719ACCEPTED1Microsoft Windows NTSNMPChristine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDMemory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries.CVE-1999-0815ACCEPTED2Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.CAN-2004-0411ACCEPTED1Microsoft Windows 2000Remote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDAn Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.CAN-2004-0116ACCEPTED1Microsoft Windows NTHTML Help FacilityAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CAN-2004-0475.CAN-2003-1041ACCEPTED1Microsoft Windows Server 2003Remote Procedure Call (RPC)Christine WalzerAn Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.CAN-2004-0116DRAFT0Microsoft Windows XPRemote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDAn Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.CAN-2004-0116ACCEPTED2Microsoft Windows 2000Enhanced Metafile (EMF)Windows Metafile (WMF)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1allows remote attackers to execute arbitrary code via a malformed WNF or EMF image.CAN-2003-0906ACCEPTED1Red Hat Enterprise Linux 3ImageMagickJay BealeDRAFTThe XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.CAN-2005-1739DRAFT0Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.5Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.CAN-2003-0353ACCEPTED2Microsoft Windows XPMicrosoft Data Access Components 2.6Christine WalzerINTERIMACCEPTEDBuffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.CAN-2003-0353ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet Explorer 5.5Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDThe file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files.CAN-2003-0114ACCEPTED2Microsoft Windows XPH.323Jonathan BakerINTERIMACCEPTEDUnknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.CAN-2004-0117ACCEPTED1Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDThe logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.CAN-2003-0227ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDrsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.CAN-2004-0426ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Jet Database EngineAndrew ButtnerINTERIMACCEPTEDBuffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query.CAN-2004-0197ACCEPTED1Microsoft Windows NTCOM Internet ServicesChristine WalzerINTERIMACCEPTEDBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a specially crafted request.CAN-2003-0807ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDHeap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.CAN-2004-0396ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.CAN-2004-0421ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDTCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.CAN-2004-0183ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874.CVE-2002-0027ACCEPTED2Red Hat Linux 9OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.CAN-2004-0079ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDInteger underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.CAN-2004-0184ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDMultiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14 allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.CAN-2004-0234ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDMultiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").CAN-2004-0235ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDUtempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.CAN-2004-0233ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDBuffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).CAN-2004-0541ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDEthereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients.CAN-2004-0504ACCEPTED1Microsoft Windows XPIIS 5.1Christine WalzerINTERIMACCEPTEDUnknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."CAN-2002-0869ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDRacoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.CAN-2004-0403ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors.CAN-2004-0505ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference.CAN-2004-0506ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDBuffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0507ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressAndrew ButtnerINTERIMACCEPTEDThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."CAN-2004-0380ACCEPTED1Red Hat Enterprise Linux 3MIT Kerberos 5 (krb5)Jay BealeINTERIMACCEPTEDMultiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.CAN-2004-0523ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDCVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.CAN-2004-0414ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDDouble-free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.CAN-2004-0416ACCEPTED1Microsoft Windows 2000COM Internet ServicesChristine WalzerINTERIMACCEPTEDBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a specially crafted request.CAN-2003-0807ACCEPTED1Microsoft Windows 98File and Print SharingTiffany BergeronINTERIMACCEPTEDFile and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.CVE-2000-0979ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMINTERIMACCEPTED/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.CAN-2003-0461ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDReview blocked sender list1.2.8ACCEPTED1Corresponds to item 1.2.8 in the Exchange 2003 BenchmarkMicrosoft Windows XPHelp and Support Center (HSC)Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDHelp and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.CAN-2003-0907ACCEPTED2Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.CAN-2004-0417ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDserve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.CAN-2004-0418ACCEPTED1Microsoft Windows XPWindows XPHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDWindows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability."CAN-2003-0909ACCEPTED2Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."CAN-2005-0055ACCEPTED1Red Hat Enterprise Linux 3SquirrelMailJay BealeINTERIMACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.CAN-2004-0519ACCEPTED0Microsoft Windows XPMicrosoft ASN.1 LibraryDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0123ACCEPTED2Microsoft Windows XPHelp and Support Center (HSC)Harvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDHelp and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).CAN-2004-0199ACCEPTED2Microsoft Windows XPIIS 5.1Christine WalzerINTERIMACCEPTEDIIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned.CVE-2002-1182ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressAndrew ButtnerINTERIMACCEPTEDThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."CAN-2004-0380ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDIIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assignedCVE-2002-1182ACCEPTED2Red Hat Enterprise Linux 3SquirrelMailJay BealeINTERIMACCEPTEDCross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.CAN-2004-0520ACCEPTED0Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.CAN-2003-0984ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.5 and 6.0 allows remote attackers to cause the File Download dialogue box to misrepresent the name of the file in the dialogue in a way that could fool users into thinking that the file type is safe to download.CVE-2001-0875ACCEPTED2Microsoft Windows 2000Lightweight Directory Access Protocol (LDAP)Tiffany BergeronINTERIMACCEPTEDUnknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message.CAN-2003-0663ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."CAN-2004-0003ACCEPTED1Microsoft Windows NTIIS 4.0Christine WalzerINTERIMACCEPTEDDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.CVE-2001-0333ACCEPTED1Microsoft Windows NTTiffany BergeronINTERIMACCEPTEDThe Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability.CVE-2000-0377ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange 2000Tiffany BergeronINTERIMACCEPTEDMicrosoft Exchange Server 2000 System Attendant gives "Everyone" group privileges to the WinReg key, which could allow remote attackers to read or modify registry keys.CVE-2002-0049ACCEPTED1Microsoft Windows NTTiffany BergeronINTERIMACCEPTEDThe registry in Windows NT can be accessed remotely by users who are not administrators.CAN-1999-0562ACCEPTED1Microsoft Windows 2000NetBIOSTiffany BergeronINTERIMACCEPTEDA component service related to NETBIOS is running.CAN-1999-0621ACCEPTED1Microsoft Windows NTSQL Server 2000Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDThe registry key containing the SQL Server service account information in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, has insecure permissions, which allows local users to gain privileges, aka "Incorrect Permission on SQL Server Service Account Registry Key."CVE-2002-0642ACCEPTED3Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.CVE-2002-0648INTERIM0Microsoft Windows 2000Microsoft DirectPlayTiffany BergeronINTERIMACCEPTEDIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.CAN-2004-0202ACCEPTED1Microsoft Windows Server 2003Microsoft Outlook ExpressAndrew ButtnerINTERIMACCEPTEDThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."CAN-2004-0380ACCEPTED1Microsoft Windows Server 2003COM Internet ServicesChristine WalzerINTERIMACCEPTEDBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a specially crafted request.CAN-2003-0807ACCEPTED1Microsoft Windows Server 2003Help and Support Center (HSC)Harvey RubinovitzINTERIMACCEPTEDHelp and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).CAN-2004-0199ACCEPTED1Red Hat Enterprise Linux 3SquirrelMailJay BealeINTERIMACCEPTEDSQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.CAN-2004-0521ACCEPTED0Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.CAN-2004-0010ACCEPTED2Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Veritas Backup Exec 8.5Tiffany BergeronINTERIMIngrid SkoogVeritas Backup Exec 8.5 and earlier requires that the "RestrictAnonymous" registry key for Microsoft Exchange 2000 must be set to 0, which enables anonymous listing of the SAM database and shares.CVE-2002-1117INTERIM0Microsoft Windows XPMicrosoft Data Access Components 2.7Christine WalzerChristine WalzerINTERIMACCEPTEDBuffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.CAN-2003-0353ACCEPTED3Microsoft Windows NTRemote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDThe DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."CAN-2004-0124ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CAN-2004-0405.CAN-2004-0180ACCEPTED1Microsoft Windows 2000Utility ManagerHarvey RubinovitzINTERIMACCEPTEDThe Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CAN-2004-0213.CAN-2003-0908ACCEPTED1Sun Solaris 7Sun Solaris 8snmpdxBrian SobyDRAFTINTERIMACCEPTEDVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.CAN-2002-0012ACCEPTED1Red Hat Linux 9OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.CAN-2004-0112ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.CVE-2001-0333ACCEPTED1Microsoft Windows XPCompressed FoldersDavid ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validationCAN-2004-0575ACCEPTED3Microsoft Windows XPWindows logon process (winlogon)Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.CAN-2003-0806ACCEPTED2Microsoft Windows XPCertGetCertificateChain, CertVerifyCertificateChainPolicy, and WinVerifyTrust APIsChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.CAN-2002-0862ACCEPTED2Microsoft Windows XPHTML Help FacilityAndrew ButtnerDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1208INTERIM0Microsoft Windows NTCertificate ValidationChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).CVE-2002-1183ACCEPTED2Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDCVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CAN-2004-0180.CAN-2004-0405ACCEPTED1Microsoft Windows 2000Remote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDThe DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."CAN-2004-0124ACCEPTED1Microsoft Windows XPEnhanced Metafile (EMF)Windows Metafile (WMF)Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1allows remote attackers to execute arbitrary code via a malformed WNF or EMF image.CAN-2003-0906ACCEPTED2Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDMultiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other producs that use neon including (2) Cadaver, (3) Subversion, or (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.CAN-2004-0179ACCEPTED1Microsoft Windows Server 2003Remote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDThe DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."CAN-2004-0124ACCEPTED1Microsoft Windows 2000IIS 5.0Christine WalzerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0CVE-2001-0241ACCEPTED2Microsoft Windows XPRemote Procedure Call (RPC)Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."CAN-2004-0124ACCEPTED2Microsoft Windows NTMicrosoft Windows 2000Microsoft ASN.1 LibraryDavid ProulxINTERIMACCEPTEDDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0123ACCEPTED1Microsoft Windows NTSQL Server 2000Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogINTERIMACCEPTEDMultiple buffer overflows in SQL Server 2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruptionCAN-2002-0649ACCEPTED3Microsoft Windows 2000NetBIOSTiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDInteractions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagramCAN-2000-1079ACCEPTED2Red Hat Enterprise Linux 3zgrepJay BealeDRAFTzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.CAN-2005-0758DRAFT0Red Hat Enterprise Linux 3postgresqlJay BealeDRAFTINTERIMThe tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.CAN-2005-1410INTERIM0Microsoft Windows Server 2003Private Communications Transport (PCT)Andrew ButtnerINTERIMACCEPTEDBuffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.CAN-2003-0719ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet Explorer 5.5 Service Pack 2Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDHeap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CAN-2003-0115.CAN-2003-0233ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5, Internet Explorer 5.5 Service Pack 1Tiffany BergeronINTERIMACCEPTEDInternet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability."CVE-2001-0339ACCEPTED1Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.CAN-2002-0677ACCEPTED2Microsoft Windows XPMicrosoft Windows Server 2003GDI+Ingrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED1Red Hat Enterprise Linux 3gzipJay BealeDRAFTINTERIMzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.CAN-2005-0758INTERIM0Sun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)Brian SobyDRAFTINTERIMACCEPTEDMIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.CVE-2003-0058ACCEPTED1Microsoft Windows Server 2003Internet Explorer 6.0Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.CAN-2004-1319ACCEPTED2Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CAN-2005-1211INTERIM0Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMThe linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit.CAN-2004-0491INTERIM0Microsoft Windows 2000Remote Procedure Call (RPC)Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDThe RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage functionCAN-2003-0605ACCEPTED2Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMThe elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.CAN-2005-1263INTERIM0Microsoft Windows Server 2003Microsoft Color Management Module Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1219DRAFT0Sun Solaris 7Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.CAN-2004-1359ACCEPTED1Microsoft Windows XPServices for UNIXJonathan BakerDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1205INTERIM0Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Tiffany BergeronDRAFTINTERIMACCEPTEDThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifiying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.CAN-2004-0549ACCEPTED1Red Hat Enterprise Linux 3telnetJay BealeDRAFTCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telner servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.CAN-2005-0488DRAFT0Microsoft Windows XPSMB (Server Message Block)Jonathan BakerDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1206INTERIM0Microsoft Windows 2000ISA Server 2000Christine WalzerDRAFTINTERIMMicrosoft ISA Server 2000 allows remote attackers to poison the ISA cache or bypass content restriction policies via a malformed HTTP request packet containing multiple Content-Length headers.CAN-2005-1215INTERIM0Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.CVE-2002-0648INTERIM0Red Hat Enterprise Linux 3bzip2Jay BealeDRAFTRace condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.CAN-2005-0953DRAFT0Microsoft Windows 2000Crystal EnterpriseCrystal ReportsAndrew ButtnerJonathan BakerDirectory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspxCAN-2004-0204DRAFT0Microsoft Windows 2000COM Internet ServicesChristine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."CAN-2005-0047ACCEPTED2Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTED'Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka \"Table Conversion Vulnerability,\" a different vulnerability than CAN-2004-0901'CAN-2004-0571ACCEPTED2Red Hat Enterprise Linux 3gzipJay BealeDRAFTINTERIMRace condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.CAN-2005-0988INTERIM0Red Hat Enterprise Linux 3libxml2Jay BealeDRAFTINTERIMMultiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.CAN-2004-0989INTERIM0Microsoft Windows XPWindows Media Player 9Christine WalzerDRAFTINTERIMACCEPTEDThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."CAN-2005-0044ACCEPTED1Microsoft Windows XPHTML Help FacilityAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CAN-2004-0475.CAN-2003-1041ACCEPTED1Microsoft Windows XPMicrosoft Office XP SP3Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0564DRAFT0Microsoft Windows XPMicrosoft AgentHarvey RubinovitzDRAFTHarvey RubinovitzINTERIMMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. CAN-2005-1214INTERIM0Red Hat Enterprise Linux 3libgdJay BealeDRAFTINTERIMMultiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CAN-2004-0990.CAN-2004-0941INTERIM0Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."CAN-2005-0554ACCEPTED1Microsoft Windows Server 2003Distributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528CAN-2003-0715ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTINTERIMThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.CVE-2002-0648INTERIM0Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMThe shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.CAN-2005-0176INTERIM0Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI.CAN-2004-0760ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIM** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1211INTERIM0Microsoft Windows 2000Microsoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571.CAN-2004-0901ACCEPTED2Red Hat Enterprise Linux 3sudoJay BealeDRAFTRace condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.CAN-2005-1993DRAFT0It appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp.Red Hat Enterprise Linux 3geditJay BealeDRAFTFormat string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.CAN-2005-1686DRAFT0Microsoft Windows XPWeb Client ServiceMatthew BurtonDRAFTBuffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.CAN-2005-1207DRAFT0Red Hat Enterprise Linux 3libgdJay BealeDRAFTINTERIMInteger overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CAN-2004-0941.CAN-2004-0990INTERIM0Microsoft Windows XPWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.CAN-2003-0112ACCEPTED2Microsoft Windows Server 2003Windows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".CAN-2005-0550ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9SadminBrian SobyBrian SobyDRAFTINTERIMACCEPTEDThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.CAN-2003-0722ACCEPTED1Microsoft Windows 98Program Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Microsoft Windows 2000Microsoft Color Management Module Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-1219DRAFT0Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDWindows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).CAN-2005-0688ACCEPTED1Microsoft Windows 98Internet Explorer 6Internet Explorer 6 SP1Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTED'Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utilit'CAN-2004-1050ACCEPTED2Microsoft Windows XPWindows Animated CursorChristine WalzerDRAFTINTERIMACCEPTEDThe Windows Animated Cursor (ANI) in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zeroCAN-2004-1305ACCEPTED1Microsoft Windows XPWindows Media Player 9Christine WalzerDRAFTChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDWindows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."CAN-2004-1244ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."CAN-2005-0054ACCEPTED1Microsoft Windows NTWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED1Microsoft Windows 2000IIS 5.0Jonathan BakerDRAFTINTERIMACCEPTEDThe WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.CAN-2003-0718ACCEPTED1Microsoft Windows 2000Microsoft Office 2000 SP3Christine WalzerDRAFT** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0564DRAFT0Microsoft Windows 2000Certificate ValidationChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.CAN-2002-0862ACCEPTED2Microsoft Windows Server 2003Microsoft Internet Explorer 6.0 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."CAN-2005-0053ACCEPTED1Microsoft Windows NTInternet Explorer 6Tiffany BergeronINTERIMACCEPTEDStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.CAN-2004-0212ACCEPTED0Red Hat Enterprise Linux 3FreeRADIUSJay BealeDRAFTINTERIMACCEPTEDFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packetCAN-2004-0938ACCEPTED1Microsoft Windows Server 2003HTML Help ActiveX ControlMatthew BurtonDRAFTINTERIMACCEPTEDInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."CAN-2004-1043ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disallow execute permissions to the Exchange HTTP virtual directoryACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should only allow digest or integrated windows authentication (NTLM) to connect to the Exchange HTTP virtual directoriesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disallow all access to Exchange HTTP virtual directoriesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should Display the routing groups in the Exchange System ManagerACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should Display the administrative groups in the Exchange System ManagerACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should enable forms based authenticationACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should only allow digest or integrated windows authentication (NTLM) to connect to the Public HTTP virtual directoriesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disallow execute permissions to the Public HTTP virtual directoryACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disallow all access to Public HTTP virtual directoriesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should zero out deleted database pagesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disable all automated message generationACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should only allow basic authentication with TSL encryption to connect to the IMAP4 serviceACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use SSL when downloading meeting requestsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use the default TCP ports for the the IMAP4 servicesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should archive all messages received by mailboxes on this storeACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should have clients support S/MIMEACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should not delete mailboxes without waiting for the store to be backed upACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should subscribe to a block list to block spamACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should limit the size of messages to and from the server to 30MBACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should limit the number of recipients in outbound messages to 5000ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disable the filtering of recipients who are not in Active DirectoryACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDCharles SchmidtINTERIMACCEPTEDMicrosoft Exchange Server 2003 should archive filtered messages1.2.9ACCEPTED2Corresponds to item 1.2.9 in the Exchange 2003 BenchmarkMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should filter messages with a blank senderACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should drop connections if the address matches filtersACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should accept messages without notifying the sender of filteringACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disable Outlook Mobile AccessACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disable ActiveSyncACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should only allow basic authentication with TSL encryption to connect to the POP3 serviceACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use SSL when downloading meeting requestsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use TCP ports 143 and 995 for the POP3 serviceACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should have mailbox store clients support S/MIME signaturesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should enable subject logging and displayACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should enable message trackingACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disable automatic log removalACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should not disable all monitoring on this serverACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should change state to critical when any service stopsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should limit any connector scope to the routing groupACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should disallow unauthenticated entities to relay through this SMTP connectorACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should force outbound connections to use basic authentication with TLS encryptionACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should have any SMTP connectors use a smart hostACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should only allow basic authentication with TSL encryption to connect to the SMTP serverACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should not resolve anonymous emailACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should only allow explicitly listed hosts to relay messages through this severACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use a smart host to relay SMTP messagesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should not perform reverse DNS lookups on incoming messagesACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use port 25 for outbound SMTP connectionsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use only basic authentication with TLS encryption for outbound SMTP connectionsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should enable logging of connections between SMTP hostsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should use port 25 for inbound SMTP connectionsACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Charles SchmidtDRAFTINTERIMACCEPTEDMicrosoft Exchange Server 2003 should apply sender, recipient, and connection filtersACCEPTED1Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901CAN-2004-0571ACCEPTED1Microsoft Windows XPIIS 5.1Jonathan BakerDRAFTINTERIMACCEPTEDThe WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.CAN-2003-0718ACCEPTED1Sun Solaris 7CDEBrian SobyBrian SobyDRAFTINTERIMACCEPTEDDouble-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and possibly other operating systems, allows remote attackers to execute arbitrary code via a certain UDP packet.CAN-2004-0368ACCEPTED1Microsoft Windows NTCertificate ValidationChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).CVE-2002-1183ACCEPTED1Sun Solaris 9SambaBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.CVE-2002-1318ACCEPTED1Sun Solaris 7libpngBrian SobyDRAFTINTERIMACCEPTEDMultiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.CAN-2004-0599ACCEPTED1Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDThe Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.CAN-2004-1354ACCEPTED1Microsoft Windows 2000HTML Help FacilityAndrew ButtnerINTERIMACCEPTEDHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CAN-2003-1041.CAN-2004-0201ACCEPTED0Microsoft Windows NTVDMIngrid SkoogIngrid SkoogACCEPTEDThe component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.CAN-2004-0118ACCEPTED2Sun Solaris 8.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges.CAN-2003-1024ACCEPTED1Microsoft Windows XPHTML Help FacilityAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CAN-2003-1041.CAN-2004-0201ACCEPTED1Microsoft Windows Server 2003Windows Internet Naming Service (WINS)Matthew BurtonDRAFTINTERIMACCEPTED'The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42'CAN-2004-1080ACCEPTED1Microsoft Windows 2000Windows kernelChristine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED2Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".CAN-2004-0839ACCEPTED1Microsoft Windows Server 2003Windows Media Player 9Christine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerDRAFTINTERIMACCEPTEDWindows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."CAN-2004-1244ACCEPTED1Microsoft Windows XPWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED1Microsoft Windows MEWindows ShellAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.CAN-2004-0214ACCEPTED1Microsoft Windows XPHyperTerminalHarvey RubinovitzDRAFTHarvey RubinovitzHarvey RubinovitzINTERIMChristine WalzerDavid ProulxACCEPTED'HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.'CVE-2004-0568ACCEPTED1Microsoft Windows XPSMB (Server Message Block)Christine WalzerDRAFTINTERIMACCEPTEDThe Server Message Block (SMB) implementation for Windows 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code using certain broadcast packets, aka the "Server Message Block Vulnerability."CAN-2005-0045ACCEPTED1Sun Solaris 8Licence Logging ServiceBrian SobyDRAFTINTERIMACCEPTEDgzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.CAN-2004-1349ACCEPTED1Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571.CAN-2004-0901ACCEPTED1Microsoft Windows XPWindows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.CAN-2005-0061ACCEPTED1Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.CAN-2004-1356ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".CAN-2005-0553ACCEPTED1Microsoft Windows XPInternet Explorer 6.0Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe DHTML Edit Control (dhtmled.ocx) in Internet Explorer 6.0.2900.2180 allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent."CAN-2004-1319ACCEPTED2Sun Solaris 8Sun Enterprise Storage Manager (ESM)Brian SobyDRAFTINTERIMACCEPTEDACCEPTED1Microsoft Windows NTVDMIngrid SkoogACCEPTEDThe component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.CAN-2004-0118ACCEPTED2Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visual Studio .NET 2003Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.CAN-2004-1360ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."CAN-2005-0054ACCEPTED1Microsoft Windows NTWindows ShellAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.CAN-2004-0214ACCEPTED1Microsoft Windows XPMicrosoft Windows Server 2003VDMIngrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.CAN-2004-0208ACCEPTED1Microsoft Windows Server 2003Windows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.CAN-2005-0061ACCEPTED1Microsoft Windows XPTask SchedulerTiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.CAN-2004-0212ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Andrew ButtnerDRAFTINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED1Microsoft Windows 2000Negotiate SSP interfaceIngrid SkoogINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selectionCAN-2004-0119ACCEPTED2Microsoft Windows XPDistributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528CAN-2003-0715ACCEPTED1Microsoft Windows Server 2003Client Server Runtime System (CSRSS)Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDThe Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0551ACCEPTED1Microsoft Windows XPProgram Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Microsoft Windows XPProgram Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Sun Solaris 7NISBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary codeCVE-2001-1328ACCEPTED1Microsoft Windows Server 2003SMB (Server Message Block)Christine WalzerDRAFTINTERIMACCEPTEDThe Server Message Block (SMB) implementation for Windows 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code using certain broadcast packets, aka the "Server Message Block Vulnerability."CAN-2005-0045ACCEPTED1Microsoft Windows NTNetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Microsoft Windows XPEnhanced Metafile (EMF)Ingrid SkoogDRAFTINTERIMACCEPTEDUnknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."CAN-2004-0209ACCEPTED1Sun Solaris 7dtspcdBrian SobyDRAFTINTERIMACCEPTEDThe CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.CVE-1999-0689ACCEPTED1Microsoft Windows XPWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED2Microsoft Windows Server 2003Local Security Authority Subsystem Service (LSASS)Christine WalzerDRAFTINTERIMACCEPTEDLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed programCAN-2004-0894ACCEPTED1Microsoft Windows XPSMB (Server Message Block)Christine WalzerDRAFTINTERIMACCEPTEDThe Server Message Block (SMB) implementation for Windows 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code using certain broadcast packets, aka the "Server Message Block Vulnerability."CAN-2005-0045ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.CAN-2003-0092ACCEPTED1Microsoft Windows 2000HTML Help FacilityAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CAN-2004-0475.CAN-2003-1041ACCEPTED0Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressJonathan BakerDRAFTINTERIMACCEPTEDMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.CAN-2004-0215ACCEPTED1Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMChristine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901CAN-2004-0571ACCEPTED2Microsoft Windows Server 2003Negotiate Security Software ProviderIngrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.CAN-2004-0119ACCEPTED2Microsoft Windows XPWindows XPMatthew BurtonDRAFTINTERIMACCEPTEDInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."CAN-2004-1043ACCEPTED1Microsoft Windows XPTask SchedulerTiffany BergeronTiffany BergeronINTERIMACCEPTEDStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.CAN-2004-0212ACCEPTED0Sun Solaris 9Solaris Management Console (SMC)Brian SobyDRAFTINTERIMACCEPTEDOff-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.CAN-2003-0466ACCEPTED1Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901CAN-2004-0571ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDApache before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."CAN-2004-0174ACCEPTED1Microsoft Windows XPNegotiate SSP interfaceIngrid SkoogIngrid SkoogIngrid SkoogACCEPTEDChristine WalzerINTERIMACCEPTEDThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.CAN-2004-0119ACCEPTED1Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Brian SobyDRAFTBrian SobyINTERIMACCEPTEDMultiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.CAN-2004-0523ACCEPTED1Microsoft Windows XPWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED2Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value.CAN-2003-0914ACCEPTED2Microsoft Windows NTOutlook Web AccessChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDCross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.CAN-2004-0203ACCEPTED2Microsoft Windows NTWindows kernelChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.CAN-2003-0112ACCEPTED1Sun Solaris 7loginBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rloginCVE-2001-0797ACCEPTED1Microsoft Windows XPWindows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".CAN-2005-0550ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."CAN-2005-0053ACCEPTED1Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Christine WalzerDRAFTINTERIMACCEPTEDLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed programCAN-2004-0894ACCEPTED1Sun Solaris 9pam_krb5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDSolaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.CAN-2004-0653ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".CAN-2004-0839ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."CAN-2005-0555ACCEPTED1Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.CVE-2002-1221ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet Explorer 5.5 Service Pack 2Andrew ButtnerDRAFTINTERIMACCEPTEDDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.CAN-2003-1048ACCEPTED1Microsoft Windows NTCertificate ValidationChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).CVE-2002-1183ACCEPTED1Microsoft Windows 2000Enhanced Metafile (EMF)Ingrid SkoogDRAFTINTERIMACCEPTEDUnknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."CAN-2004-0209ACCEPTED1Microsoft Windows Server 2003Indexing ServiceHarvey RubinovitzDRAFTINTERIMACCEPTEDThe Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2004-0897ACCEPTED1Microsoft Windows 2000Microsoft Outlook ExpressJonathan BakerDRAFTINTERIMACCEPTEDMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.CAN-2004-0215ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDThe asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.CAN-2004-0644ACCEPTED1Microsoft Windows Server 2003HTML Help FacilityAndrew ButtnerINTERIMACCEPTEDHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CAN-2003-1041.CAN-2004-0201ACCEPTED0Sun Solaris 9SambaBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary codeCAN-2003-0201ACCEPTED1Microsoft Windows NTPOSIXIngrid SkoogIngrid SkoogINTERIMACCEPTEDThe POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.CAN-2004-0210ACCEPTED0Sun Solaris 9SendmailBrian SobyDRAFTBrian SobyINTERIMACCEPTEDBuffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS serverCVE-2002-0906ACCEPTED1Microsoft Windows XPWindows ShellHarvey RubinovitzDRAFTINTERIMACCEPTEDThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.CAN-2005-0063ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CAN-2004-0790, CAN-2004-0791, and CAN-2004-1060 have been SPLIT based on different attacks; CAN-2005-0065, CAN-2005-0066, CAN-2005-0067, and CAN-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.CAN-2004-1060ACCEPTED1Microsoft Windows XPDirectXTiffany BergeronTiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.CAN-2004-0202ACCEPTED1Microsoft Windows NTIIS 4.0David ProulxINTERIMACCEPTEDBuffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.CAN-2004-0205ACCEPTED0Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.CAN-2004-0845ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.CVE-2002-1337ACCEPTED1Microsoft Windows XPInternet Explorer 6Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.CAN-2004-0420ACCEPTED1Sun Solaris 7libcBrian SobyDRAFTINTERIMACCEPTEDThe Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).CVE-2002-1265ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."CAN-2005-0554ACCEPTED1Microsoft Windows NTWindows kernelChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.CAN-2003-0112ACCEPTED1Microsoft Windows 2000MDAC 2.8Christine WalzerDRAFTINTERIMACCEPTEDMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.CAN-2004-0597ACCEPTED1Microsoft Windows NTDHCPIngrid SkoogDRAFTIngrid SkoogIngrid SkoogINTERIMACCEPTEDThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability.CAN-2004-0899ACCEPTED1Microsoft Windows XPJonathan BakerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0051ACCEPTED2Microsoft Windows Server 2003SMTPChristine WalzerDRAFTChristine WalzerINTERIMACCEPTEDThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.CAN-2004-0840ACCEPTED1Microsoft Windows XPDistributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDBuffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.CAN-2003-0352ACCEPTED1This bulletin has been superceded by MS03-039. Definition reflects updated information. Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2002Ingrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.CAN-2004-0848ACCEPTED1Microsoft Windows XPCOM Internet ServicesChristine WalzerDRAFTINTERIMACCEPTEDWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."CAN-2005-0047ACCEPTED1Sun Solaris 7libpngBrian SobyDRAFTINTERIMACCEPTEDMultiple buffer overflows in libpng 1.2.5 and earlier allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.CAN-2004-0597ACCEPTED1Microsoft Windows 2000Windows Media Player 9Christine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerDRAFTINTERIMACCEPTEDWindows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."CAN-2004-1244ACCEPTED1Microsoft Windows Server 2003Internet Explorer 6Christine WalzerINTERIMACCEPTEDThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.CAN-2004-0420ACCEPTED0Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."CAN-2005-0056ACCEPTED1Microsoft Windows NTNetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Microsoft Windows XPDirectXTiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.CAN-2004-0202ACCEPTED2Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.CAN-2004-0764ACCEPTED1Sun Solaris 7NISBrian SobyDRAFTINTERIMACCEPTEDThe getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments.CVE-2002-1199ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleBrian SobyDRAFTUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).CAN-2004-0654DRAFT0Microsoft Windows XPMicrosoft Windows Server 2003Enhanced Metafile (EMF)Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDUnknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."CAN-2004-0209ACCEPTED1Microsoft Windows XPIndexing ServiceHarvey RubinovitzDRAFTINTERIMACCEPTEDThe Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.CAN-2004-0897ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."CAN-2004-0844ACCEPTED2Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."CAN-2004-0843ACCEPTED1Microsoft Windows 2000Utility ManagerJonathan BakerINTERIMACCEPTEDUtility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CAN-2003-0908.CAN-2004-0213ACCEPTED0Microsoft Windows NTRemote Procedure Call (RPC)Matthew BurtonDRAFTINTERIMACCEPTEDThe RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values.CAN-2004-0569ACCEPTED1Microsoft Windows Server 2003DirectXTiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.CAN-2004-0202ACCEPTED1Sun Solaris 8Kerberos5Brian SobyDRAFTINTERIMACCEPTEDThe Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").CAN-2003-0082ACCEPTED1Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberosMicrosoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."CAN-2004-0843ACCEPTED1Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).CVE-2002-1219ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42CAN-2004-1080ACCEPTED1Microsoft Windows XPHyperTerminalHarvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDChristine WalzerDavid ProulxINTERIMACCEPTEDHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.CVE-2004-0568ACCEPTED2Microsoft Windows Server 2003Internet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."CAN-2005-0554ACCEPTED1Microsoft Windows 2000Windows kernelIngrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0060ACCEPTED1Microsoft Windows 2000MDAC 2.8Ingrid SkoogDRAFTINTERIMACCEPTEDThe License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."CAN-2005-0050ACCEPTED1Microsoft Windows XPHyperlink Object LibraryAndrew ButtnerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0057ACCEPTED1Sun Solaris 7libpngBrian SobyDRAFTINTERIMACCEPTEDThe png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.CAN-2004-0598ACCEPTED1Microsoft Windows Server 2003Windows Animated CursorChristine WalzerDRAFTINTERIMACCEPTEDThe Windows Animated Cursor (ANI) in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zeroCAN-2004-1305ACCEPTED1Sun Solaris 8Sun Solaris 9Sun ClusterBrian SobyDRAFTINTERIMACCEPTEDDouble-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.CAN-2003-0545ACCEPTED1Sun Solaris 7kcms_serverBrian SobyDRAFTINTERIMACCEPTEDDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.CVE-2003-0027ACCEPTED1Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."CAN-2004-0841ACCEPTED1Sun Solaris 8Sun Crypto Accelerator 4000Brian SobyDRAFTINTERIMACCEPTEDThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.CAN-2004-0079ACCEPTED1Microsoft Windows 98Windows ShellAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.CAN-2004-0214ACCEPTED1Microsoft Windows Server 2003Microsoft Outlook ExpressJonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.CAN-2004-0215ACCEPTED2Sun Solaris 7Sun Am7990 Ethernet DriverBrian SobyDRAFTMultiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by EtherleakCAN-2003-0001DRAFT0Microsoft Windows 2000Microsoft Office 2000 SP3Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.CAN-2004-0573ACCEPTED2Microsoft Windows 2000Certificate ValidationChristine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.CAN-2002-0862ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2000Matthew BurtonDRAFTINTERIMACCEPTEDUnknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.CAN-2004-0846ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."CAN-2005-0055ACCEPTED1Microsoft Windows XPMicrosoft Windows Server 2003DirectXTiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.CAN-2004-0202ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMicrosoft Office 2003Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED2Sun Solaris 9OpenSSHBrian SobyDRAFTINTERIMACCEPTEDA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CAN-2003-0695CAN-2003-0693ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.5Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDHeap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.CVE-2002-1142ACCEPTED2Microsoft Windows Server 2003Windows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0060ACCEPTED1Microsoft Windows NTWindows Internet Naming Service (WINS)Matthew BurtonDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42CAN-2004-1080ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2002Ingrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a long URL file location.CAN-2004-0848ACCEPTED1Microsoft Windows 2000Program Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.CVE-2002-0678ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0555ACCEPTED1Sun Solaris 9fs.auto, xfsBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.CVE-2002-1317ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6.0 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."CAN-2005-0056ACCEPTED1Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMACCEPTEDThe do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.CAN-2004-0427ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTMatthew BurtonMatthew BurtonINTERIMACCEPTEDInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."CAN-2004-1043ACCEPTED1Microsoft Windows 2000POSIXIngrid SkoogINTERIMACCEPTEDThe POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.CAN-2004-0210ACCEPTED0Microsoft Windows XPDistributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715CAN-2003-0528ACCEPTED1Microsoft Windows XPCOM Internet ServicesChristine WalzerDRAFTINTERIMACCEPTEDWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."CAN-2005-0047ACCEPTED1Microsoft Windows XPInternet Explorer 6Christine WalzerINTERIMACCEPTEDThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.CAN-2004-0420ACCEPTED0Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."CAN-2004-0842ACCEPTED1Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMACCEPTEDLinux kernel 2.4.2x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.CAN-2004-0554ACCEPTED1Microsoft Windows 2000Windows Media Player 9Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."CAN-2005-0044ACCEPTED2Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPAdobe Acrobat ReaderMatthew WojcikDRAFTINTERIMACCEPTEDFormat string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields.CAN-2004-1153ACCEPTED1iDEFENSE reports that deleting eBook.api from the plug_ins directory is a workaround. See http://www.idefense.com/application/poi/display?id=163&type=vulnerabilitiesMicrosoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."CAN-2005-0053ACCEPTED1Microsoft Windows XPCursor and Icon FormattingChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be providedCAN-2004-1049ACCEPTED1Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMACCEPTEDMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.CAN-2004-0495ACCEPTED1Microsoft Windows XPDistributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715CAN-2003-0528ACCEPTED1Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.CAN-2004-1355ACCEPTED1Sun Solaris 7SendmailBrian SobyDRAFTINTERIMACCEPTEDThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.cCAN-2003-0694ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."CAN-2005-0053ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2002Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED2Microsoft Windows XPJonathan BakerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0051ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."CAN-2005-0054ACCEPTED1Microsoft Windows NTProgram Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Sun Solaris 7CDEBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.CVE-1999-0691ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2002Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED2Microsoft Windows XPExplorer.exeIngrid SkoogIngrid SkoogINTERIMACCEPTEDBuffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter.CAN-2003-0306ACCEPTED0Microsoft Windows NTCursor and Icon FormattingChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be providedCAN-2004-1049ACCEPTED1Microsoft Windows Server 2003Internet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".CAN-2005-0553ACCEPTED1Microsoft Windows 2000NetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.CAN-2004-0758ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6.0 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."CAN-2005-0055ACCEPTED1Microsoft Windows Server 2003HyperTerminalHarvey RubinovitzDRAFTHarvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568ACCEPTED1Microsoft Windows 2000Windows kernelChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.CAN-2003-0112ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0555ACCEPTED1Microsoft Windows XPVDMIngrid SkoogDRAFTINTERIMACCEPTEDThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.CAN-2004-0208ACCEPTED1Microsoft Windows NTHTML Help FacilityAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CAN-2003-1041.CAN-2004-0201ACCEPTED1Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."CAN-2005-0054ACCEPTED1Microsoft Windows Server 2003Hyperlink Object LibraryChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0057ACCEPTED1Microsoft Windows 2000Windows Animated CursorChristine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDThe Windows Animated Cursor (ANI) in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zeroCAN-2004-1305ACCEPTED2Microsoft Windows Server 2003Cursor and Icon FormattingChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be providedCAN-2004-1049ACCEPTED1Microsoft Windows XPNetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.CAN-2004-0757ACCEPTED1Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be providedCAN-2004-0901ACCEPTED1Microsoft Windows XPMicrosoft Office 2003Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.CAN-2004-0573ACCEPTED3Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Ingrid SkoogDRAFTINTERIMACCEPTEDLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed programCAN-2004-0894ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."CAN-2005-0056ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2003Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED2Sun Solaris 9Kerberos5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDDouble-free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.CAN-2004-0643ACCEPTED1Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Christine WalzerDRAFTINTERIMACCEPTEDLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed programCAN-2004-0894ACCEPTED1Microsoft Windows XPMicrosoft Office XP SP3Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.CAN-2004-0573ACCEPTED2Microsoft Windows NTCursor and Icon FormattingChristine WalzerDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be providedCAN-2004-1049ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6.1 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."CAN-2004-0842ACCEPTED2Microsoft Windows XPMicrosoft Outlook ExpressJonathan BakerDRAFTINTERIMChristine WalzerACCEPTEDMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.CAN-2004-0215ACCEPTED1Microsoft Windows 2000Internet Explorer 6Christine WalzerDRAFTINTERIMACCEPTEDThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.CAN-2004-0420ACCEPTED1Microsoft Windows XPSMB (Server Message Block)Ingrid SkoogINTERIMACCEPTEDBuffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.CAN-2003-0345ACCEPTED0Sun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.CAN-2004-1352ACCEPTED1Microsoft Windows 2000Microsoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka CAN-2004-0571ACCEPTED2Microsoft Windows 2000Task SchedulerTiffany BergeronINTERIMACCEPTEDStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.CAN-2004-0212ACCEPTED0Microsoft Windows XPWindows ShellHarvey RubinovitzDRAFTINTERIMACCEPTEDThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.CAN-2005-0063ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CAN-2004-0790, CAN-2004-0791, and CAN-2004-1060 have been SPLIT based on different attacks; CAN-2005-0065, CAN-2005-0066, CAN-2005-0067, and CAN-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.CAN-2004-0790ACCEPTED1Microsoft Windows Server 2003SMTPChristine WalzerDRAFTINTERIMACCEPTEDThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.CAN-2004-0840ACCEPTED1Microsoft Windows XPInternet Explorer 6.0Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe DHTML Edit Control (dhtmled.ocx) in Internet Explorer 6.0.2900.2180 allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent."CAN-2004-1319ACCEPTED2Sun Solaris 9Solaris Volume Manager (SVM)Brian SobyDRAFTINTERIMACCEPTEDACCEPTED1Microsoft Windows XPNetBT Name ServiceIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDThe NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.CAN-2003-0661ACCEPTED0Microsoft Windows NTHTML Help ActiveX ControlMatthew BurtonDRAFTINTERIMACCEPTEDInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."CAN-2004-1043ACCEPTED1Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDThe Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities.CAN-2004-1357ACCEPTED1Microsoft Windows Server 2003HTML Help FacilityAndrew ButtnerINTERIMACCEPTEDInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CAN-2004-0475.CAN-2003-1041ACCEPTED0Microsoft Windows XPInternet Explorer 6Christine WalzerINTERIMACCEPTEDThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.CAN-2004-0420ACCEPTED0Microsoft Windows XPClient Server Runtime System (CSRSS)Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDThe Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0551ACCEPTED1Microsoft Windows XPMicrosoft Windows Server 2003MDAC 2.7Matthew BurtonDRAFTINTERIMACCEPTEDThe Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."CAN-2004-0847ACCEPTED1Sun Solaris 9Basic Security ModuleBrian SobyDRAFTINTERIMACCEPTEDThe patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged.CAN-2004-1358ACCEPTED1Microsoft Windows Server 2003OLEChristine WalzerChristine WalzerDRAFTINTERIMACCEPTEDThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."CAN-2005-0044ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows NTMDAC 2.1Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDHeap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.CVE-2002-1142ACCEPTED2Microsoft Windows NTDHCPIngrid SkoogDRAFTINTERIMACCEPTEDThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."CAN-2004-0900ACCEPTED1Microsoft Windows Server 2003MDAC 2.8Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDThe License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."CAN-2005-0050ACCEPTED2Microsoft Windows 2000Windows ExplorerIngrid SkoogDRAFTAndrew ButtnerINTERIMThe Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2000 systems, does not properly filter an apostrophe ("'") in the author name in a document, which allows attackers to execute arbitrary script via extra attributes when Web View constructs a mailto: link for the preview pane when the user selects the file.CAN-2005-1191INTERIM0Microsoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."CAN-2005-0054ACCEPTED1Sun Solaris 7Solaris Runtime LinkerBrian SobyDRAFTINTERIMACCEPTEDStack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variableCAN-2003-0609ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.CAN-2004-0761ACCEPTED1Microsoft Windows NTInternet Explorer 6Christine WalzerDRAFTINTERIMACCEPTEDThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.CAN-2004-0420ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBrian SobyDRAFTA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.CAN-2003-0681DRAFT0Sun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Brian SobyDRAFTINTERIMACCEPTEDDirectory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.CVE-2002-1296ACCEPTED1Red Hat Enterprise Linux 3libpngJay BealeDRAFTINTERIMACCEPTEDPortable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.CVE-2002-1363ACCEPTED1Microsoft Windows Server 2003Windows Internet Naming Service (WINS)Matthew BurtonDRAFTINTERIMACCEPTEDThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42CAN-2004-1080ACCEPTED1Microsoft Windows XPHelp and Support Center (HSC)Christine WalzerDRAFTINTERIMACCEPTEDStack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URLCAN-2003-0711ACCEPTED1Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901CAN-2004-0571ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTINTERIMACCEPTEDRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".CAN-2005-0553ACCEPTED1Microsoft Windows MEProgram Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Microsoft Windows MEInternet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html"CAN-2004-0839ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyDRAFTINTERIMACCEPTEDMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.CAN-2003-0542ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2003Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED2Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."CAN-2005-0554ACCEPTED1Microsoft Windows XPWindows ShellAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDMicrosoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."CAN-2005-0048ACCEPTED1Sun Solaris 7Sun Solaris 8sendfilev()Brian SobyDRAFTINTERIMACCEPTEDBuffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.CVE-2001-0414ACCEPTED1Microsoft Windows 2000Internet Explorer 6.0Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMAndrew ButtnerACCEPTEDThe DHTML Edit Control (dhtmled.ocx) in Internet Explorer 6.0.2900.2180 allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent."CAN-2004-1319ACCEPTED2Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.CAN-2004-0845ACCEPTED2Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Office XP SP2Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED2Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571.CAN-2004-0901ACCEPTED1Microsoft Windows XPWindows Help and Support CenterChristine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDStack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URLCAN-2003-0711ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."CAN-2005-0055ACCEPTED1Microsoft Windows Server 2003Compressed FoldersDavid ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validationCAN-2004-0575ACCEPTED3Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet Explorer 6 Service Pack 1Harvey RubinovitzDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0555ACCEPTED1Microsoft Windows XPWindows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0060ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."CAN-2004-0843ACCEPTED1Microsoft Windows NTVDMIngrid SkoogDRAFTINTERIMACCEPTEDThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.CAN-2004-0208ACCEPTED1Microsoft Windows NTWindows Animated CursorChristine WalzerDRAFTINTERIMACCEPTEDThe Windows Animated Cursor (ANI) in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zeroCAN-2004-1305ACCEPTED1Sun Solaris 8BindBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash).CAN-2004-1348ACCEPTED1Microsoft Windows Server 2003Distributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715CAN-2003-0528ACCEPTED1Microsoft Windows NTHyperTerminalHarvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.CVE-2004-0568ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method.CAN-2004-0763ACCEPTED1Microsoft Windows XPWindows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.CAN-2005-0061ACCEPTED1Microsoft Windows XPGDI+Ingrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED1Microsoft Windows XPMicrosoft Office XP SP2Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDBuffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.CAN-2004-0573ACCEPTED2Microsoft Windows NTWindows kernelChristine WalzerDRAFTINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Office XP SP3Ingrid SkoogIngrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.CAN-2004-0848ACCEPTED1Sun Solaris 8Sun Solaris 9DtMailBrian SobyDRAFTINTERIMACCEPTEDFormat string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.CAN-2004-0800ACCEPTED1Microsoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange Server 2003Christine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted extended verb request to the SMTP port.CAN-2005-0560ACCEPTED1Microsoft Windows 2000SMB (Server Message Block)Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDThe Server Message Block (SMB) implementation for Windows 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code using certain broadcast packets, aka the "Server Message Block Vulnerability."CAN-2005-0045ACCEPTED2Sun Solaris 7bash, tcsh, cash, sh, kshBrian SobyDRAFTINTERIMACCEPTEDMultiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.CAN-2000-1134ACCEPTED1Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571.CAN-2004-0901ACCEPTED2Microsoft Windows XPMicrosoft Internet Explorer 6Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."CAN-2005-0056ACCEPTED1Sun Solaris 7lpstat, libprintBrian SobyDRAFTINTERIMACCEPTEDUnknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files.CAN-2003-0999ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.CVE-2003-0020ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".CAN-2004-0839ACCEPTED1Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.1 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."CAN-2004-0842ACCEPTED1Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.CVE-2002-0651ACCEPTED1Microsoft Windows 2000Internet Explorer 6 SP1Ingrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED1Microsoft Windows XPDistributed Component Object Model (DCOM) interfaceChristine WalzerDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528CAN-2003-0715ACCEPTED1Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2002Matthew BurtonDRAFTUnknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.CAN-2004-0846DRAFT0Microsoft Windows Server 2003Program Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Sun Solaris 8Sun Solaris 9Sun ClusterBrian SobyDRAFTINTERIMACCEPTEDInteger overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.CAN-2003-0543ACCEPTED1Microsoft Windows 2000ISA Server 2000Christine WalzerDRAFTINTERIMACCEPTEDMicrosoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup resulCAN-2004-0892ACCEPTED1Microsoft Windows Server 2003Compressed FoldersDavid ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validationCAN-2004-0575ACCEPTED3Microsoft Windows NTDHCPIngrid SkoogDRAFTINTERIMACCEPTEDThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability."CAN-2004-0899ACCEPTED1Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visual Studio .NET 2002Ingrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.CAN-2004-0200ACCEPTED1Microsoft Windows 2000VDMIngrid SkoogDRAFTINTERIMACCEPTEDThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.CAN-2004-0208ACCEPTED1Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901CAN-2004-0571ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdBrian SobyDRAFTINTERIMACCEPTEDcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.CAN-2002-0085ACCEPTED1Microsoft Windows 2000Windows ShellAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.CAN-2004-0214ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."CAN-2004-0841ACCEPTED1Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Christine WalzerDRAFTINTERIMACCEPTEDLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed programCAN-2004-0894ACCEPTED1Microsoft Windows NTWindows Internet Naming Service (WINS)Matthew BurtonDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42.CAN-2004-1080ACCEPTED2Sun Solaris 7CDEBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.CVE-1999-0693ACCEPTED1Sun Solaris 7lpstatBrian SobyDRAFTINTERIMACCEPTEDStack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.CAN-2003-0091ACCEPTED1Microsoft Windows XPMessage QueuingIngrid SkoogDRAFTINTERIMACCEPTEDBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.CAN-2005-0059ACCEPTED1Microsoft Windows Server 2003Network News Transport Protocol (NNTP)Christine WalzerDRAFTINTERIMACCEPTEDThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.CAN-2004-0574ACCEPTED1Microsoft Windows XPWindows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".CAN-2005-0550ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.CAN-2004-0762ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDmod_digest for Apache does not properly verify the nonce of a client response by using a AuthNonce secret.CAN-2003-0987ACCEPTED1Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Brian SobyDRAFTINTERIMACCEPTEDThe Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").CAN-2003-0082ACCEPTED1Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAMMicrosoft Windows Server 2003Windows kernelChristine WalzerDRAFTINTERIMACCEPTEDThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability.CAN-2004-0893ACCEPTED1Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPAdobe Acrobat ReaderMatthew WojcikDRAFTINTERIMACCEPTEDMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.CAN-2004-0597ACCEPTED1Microsoft Windows Server 2003Program Group ConverterAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.CAN-2004-0572ACCEPTED1Microsoft Windows XPunknownChristine WalzerDRAFTINTERIMACCEPTEDThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."CAN-2005-0044ACCEPTED1Microsoft Windows NTHyperTerminalHarvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.CVE-2004-0568ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.CAN-2003-0669ACCEPTED1Sun Solaris 8Sun Solaris 9Sun ClusterBrian SobyDRAFTINTERIMACCEPTEDOpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.CAN-2003-0544ACCEPTED1Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571.CAN-2004-0901ACCEPTED1Microsoft Windows Server 2003NetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Microsoft Windows 2000Windows kernelIngrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.CAN-2005-0061ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDInteger overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code.CAN-2004-0722ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTINTERIMACCEPTEDDouble-free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.CAN-2004-0772ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDmod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.CVE-2003-0993ACCEPTED1Microsoft Windows 2000Cursor and Icon FormattingChristine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be providedCAN-2004-1049ACCEPTED2Microsoft Windows Server 2003Internet Explorer 6.0Harvey RubinovitzDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2005-0555ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."CAN-2004-0727ACCEPTED1Microsoft Windows Server 2003Help and Support Center (HSC)Christine WalzerDRAFTINTERIMACCEPTEDStack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URLCAN-2003-0711ACCEPTED1Microsoft Windows 2000Windows ShellHarvey RubinovitzDRAFTINTERIMAndrew ButtnerACCEPTEDThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.CAN-2005-0063ACCEPTED1Microsoft Windows Server 2003Windows MessengerMatthew BurtonDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."CAN-2005-0053ACCEPTED1Sun Solaris 7Sun RPCBrian SobyDRAFTINTERIMACCEPTEDInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.CVE-2002-0391ACCEPTED1Specific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating.Microsoft Windows 2000HyperTerminalHarvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.CVE-2004-0568ACCEPTED1Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterChristine WalzerDRAFTINTERIMACCEPTEDMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571CAN-2004-0901ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDThe (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.CAN-2004-0718ACCEPTED1Microsoft Windows Server 2003Internet Explorer 6.0Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDThe DHTML Edit Control (dhtmled.ocx) in Internet Explorer 6.0.2900.2180 allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent."CAN-2004-1319ACCEPTED2Microsoft Windows NTVDMIngrid SkoogDRAFTINTERIMACCEPTEDThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.CAN-2004-0208ACCEPTED1Microsoft Windows Server 2003IIS 6.0Jonathan BakerDRAFTINTERIMACCEPTEDThe WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.CAN-2003-0718ACCEPTED1Microsoft Windows NTMDAC 2.8Ingrid SkoogDRAFTINTERIMACCEPTEDThe License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."CAN-2005-0050ACCEPTED1Microsoft Windows 2000Windows 2000Matthew BurtonDRAFTINTERIMACCEPTEDTCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.CAN-2004-0230ACCEPTED1Microsoft Windows XPWindows kernelIngrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.CAN-2005-0060ACCEPTED1Microsoft Windows NTWindows NT 4.0Matthew BurtonDRAFTINTERIMACCEPTEDThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42CAN-2004-1080ACCEPTED1Microsoft Windows 2000Windows kernelIngrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".CAN-2005-0550ACCEPTED1Sun Solaris 8Sun Solaris 9.NET FrameworkBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.CAN-2004-1353ACCEPTED1Microsoft Windows NTDHCPIngrid SkoogDRAFTINTERIMACCEPTEDThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability.CAN-2004-0900ACCEPTED1Microsoft Windows NTProxy Server 2.0 SP1Christine WalzerDRAFTINTERIMChristine WalzerIngrid SkoogACCEPTEDMicrosoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results.CAN-2004-0892ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.CAN-2004-0492ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."CAN-2005-0053ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".CAN-2005-0553ACCEPTED1Microsoft Windows XPMicrosoft Windows Server 2003Windows kernelIngrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDThe kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program.CAN-2004-0211ACCEPTED1Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003MSN MessengerChristine WalzerDRAFTINTERIMACCEPTEDGIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width.CAN-2005-0562ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDDouble-free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.CAN-2004-0642ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."CAN-2005-0056ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".CAN-2005-0553ACCEPTED1Microsoft Windows XPMicrosoft Windows Server 2003MDAC 2.7Matthew BurtonDRAFTINTERIMACCEPTEDThe Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."CAN-2004-0847ACCEPTED1Microsoft Windows 2000Message QueuingIngrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.CAN-2005-0059ACCEPTED1Microsoft Windows Server 2003Network News Transport Protocol (NNTP)Christine WalzerDRAFTINTERIMACCEPTEDBuffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.CAN-2004-0573ACCEPTED1Microsoft Windows NTNetwork News Transport Protocol (NNTP)Christine WalzerDRAFTINTERIMACCEPTEDThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.CAN-2004-0574ACCEPTED1Microsoft Windows XPNetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.CAN-2003-0834ACCEPTED2Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web siteCAN-2004-0845ACCEPTED1Microsoft Windows NTRemote Procedure Call (RPC)Matthew BurtonDRAFTINTERIMACCEPTED** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.CAN-2003-0569ACCEPTED1Microsoft Windows XPWindows ShellAndrew ButtnerDRAFTINTERIMACCEPTEDBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.CAN-2004-0214ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDBuffer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email.CAN-2004-0216ACCEPTED2Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email.CAN-2004-0216ACCEPTED1Microsoft Windows Server 2003SMTPChristine WalzerDRAFTINTERIMACCEPTEDThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.CAN-2004-0840ACCEPTED1Microsoft Windows MEInternet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web siteCAN-2004-0845ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.1 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."CAN-2004-0842ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."CAN-2004-0841ACCEPTED2Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.CAN-2004-0845ACCEPTED1Microsoft Windows 2000Network News Transport Protocol (NNTP)Christine WalzerDRAFTINTERIMACCEPTEDThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.CAN-2004-0574ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."CAN-2004-0841ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."CAN-2004-0841ACCEPTED1Microsoft Windows MEInternet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML emailCAN-2004-0216ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".CAN-2004-0839ACCEPTED2Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."CAN-2004-0843ACCEPTED2Microsoft Windows XPCompressed FoldersDavid ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validationCAN-2004-0575ACCEPTED3Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.1 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."CAN-2004-0842ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 4Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email.CAN-2004-0216ACCEPTED1Microsoft Windows Server 2003NetDDEJonathan BakerDRAFTINTERIMACCEPTEDNetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.CAN-2004-0206ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."CAN-2004-0727ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."CAN-2004-0727ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Internet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."CAN-2004-0843ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."CAN-2004-0843ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 5.5 Service Pack 2Harvey RubinovitzDRAFTINTERIMACCEPTEDMultiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.CAN-2003-0727ACCEPTED1Microsoft Windows Server 2003Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003Harvey RubinovitzDRAFTINTERIMACCEPTEDMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."CAN-2004-0727ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.CAN-2004-0845ACCEPTED1Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email.CAN-2004-0216ACCEPTED1Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".CAN-2004-0839ACCEPTED1Microsoft Windows 2000Microsoft Internet Explorer 5.01 Service Pack 3Harvey RubinovitzDRAFTINTERIMACCEPTEDBuffer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email.CAN-2004-0216ACCEPTED1Microsoft Windows XPInternet Explorer 6Harvey RubinovitzDRAFTINTERIMACCEPTEDMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."CAN-2004-0727ACCEPTED1Microsoft Windows MEInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."CAN-2004-0841ACCEPTED1Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPInternet Explorer 6 SP1Harvey RubinovitzDRAFTINTERIMACCEPTEDInternet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."CAN-2004-0844ACCEPTED1This test should fail if the 64-bit (x64 architecture) version of Windows is installed.11111111111111111111111111111111111111111111111111111111111111111For "/tmp is readable by non-root users," use a compound test.111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111