NVD Vulnerability Detail

CVE-2008-1475

Summary	The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
Publication Date	March 25, 2008, 7:44 a.m.
Registration Date	Jan. 29, 2021, 1:34 p.m.
Last Update	Aug. 8, 2017, 10:30 a.m.

CVSS2.0 : MEDIUM
Score	6.4
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:roundup-tracker:roundup:0.1.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.1.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.1.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.1.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.8:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.3.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.3.0:pre1::::::
cpe:2.3:a:roundup-tracker:roundup:0.3.0:pre2::::::
cpe:2.3:a:roundup-tracker:roundup:0.3.0:pre3::::::
cpe:2.3:a:roundup-tracker:roundup:0.4.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.4.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.4.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.4.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.4.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.4.2:pr1::::::
cpe:2.3:a:roundup-tracker:roundup:0.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.0:beta1::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.0:beta2::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.0:pr1::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.8:stable::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.9:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b3::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b4::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.8:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.9:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.10:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.11:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.7.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.7.0:b3::::::
cpe:2.3:a:roundup-tracker:roundup:0.7.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.8:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.9:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.10:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.11:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.12:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.8.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.8.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.9.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:1.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.0.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.1.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.1.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.1.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.2.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.2.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.4.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.4.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.4.2:::::::*
cpe:2.3:a:roundup-tracker:roundup::::::::		1.4.3

Related information, measures and tools

No	URL	refsource	タグ
1	http://secunia.com/advisories/29336	SECUNIA	Vendor Advisory
2	http://secunia.com/advisories/29375	SECUNIA	Vendor Advisory
3	http://secunia.com/advisories/30274	SECUNIA
4	http://secunia.com/advisories/32805	SECUNIA
5	http://security.gentoo.org/glsa/glsa-200805-21.xml	GENTOO
6	http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788	CONFIRM
7	http://www.securityfocus.com/bid/28238	BID
8	http://www.vupen.com/english/advisories/2008/0891	VUPEN
9	https://bugzilla.redhat.com/show_bug.cgi?id=436546	MISC
10	https://exchange.xforce.ibmcloud.com/vulnerabilities/41240	XF
11	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html	FEDORA
12	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html	FEDORA
13	https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00452.html	FEDORA
14	https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00478.html	FEDORA

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

JVN Vulnerability Information

Roundup の xml-rpc サーバにおける制限を回避される脆弱性

Title	Roundup の xml-rpc サーバにおける制限を回避される脆弱性
Summary	Roundup の xml-rpc サーバは、プロパティのパーミッションをチェックしないため、制限を回避される、および制限されたプロパティを編集または読まれる脆弱性が存在します。
Possible impacts	攻撃者により、制限を回避される、および制限されたプロパティを編集または読まれる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	March 24, 2008, midnight
Registration Date	Dec. 20, 2012, 6:52 p.m.
Last Update	Dec. 20, 2012, 6:52 p.m.

Affected System

Roundup

Roundup 1.4.4

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-1475	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475
National Vulnerability Database (NVD)
2	CVE-2008-1475	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1475

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Roundup
1	Top Page	http://roundup.sourceforge.net/

Change Log

No	Changed Details	Date of change
0	[2012年12月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:roundup-tracker:roundup:0.1.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.1.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.1.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.1.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.2.8:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.3.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.3.0:pre1::::::
cpe:2.3:a:roundup-tracker:roundup:0.3.0:pre2::::::
cpe:2.3:a:roundup-tracker:roundup:0.3.0:pre3::::::
cpe:2.3:a:roundup-tracker:roundup:0.4.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.4.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.4.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.4.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.4.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.4.2:pr1::::::
cpe:2.3:a:roundup-tracker:roundup:0.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.0:beta1::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.0:beta2::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.0:pr1::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.5.8:stable::::::
cpe:2.3:a:roundup-tracker:roundup:0.5.9:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b3::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.0:b4::::::
cpe:2.3:a:roundup-tracker:roundup:0.6.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.8:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.9:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.10:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.6.11:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.7.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.7.0:b3::::::
cpe:2.3:a:roundup-tracker:roundup:0.7.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.7:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.8:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.9:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.10:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.11:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.7.12:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:0.8.0:b2::::::
cpe:2.3:a:roundup-tracker:roundup:0.8.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.4:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.5:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.8.6:::::::*
cpe:2.3:a:roundup-tracker:roundup:0.9.0:b1::::::
cpe:2.3:a:roundup-tracker:roundup:1.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.0.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.1.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.1.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.1.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.2.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.2.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.2:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.3.3:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.4.0:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.4.1:::::::*
cpe:2.3:a:roundup-tracker:roundup:1.4.2:::::::*
cpe:2.3:a:roundup-tracker:roundup::::::::		1.4.3