Details of VAR-200312-0381

ID

VAR-200312-0381

CVE

CVE-2003-1414

TITLE

Apple QuickTime/Darwin Streaming Server parse_xml.cgi File leak vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200312-081

DESCRIPTION

Directory traversal vulnerability in parse_xml.cg Apple Darwin Streaming Server 4.1.2 and Apple Quicktime Streaming Server 4.1.1 allows remote attackers to read arbitrary files via a ... (triple dot) in the filename parameter. The vulnerability exists due to insufficient sanitization of some parameters given to the parse_xml.cgi script. Information obtained in this manner may be used by an attacker to launch more organinzed attacks against a vulnerable system. This vulnerability was tested on SS for Microsoft Windows systems. Remote attackers can read arbitrary files with the help of the ..

Trust: 1.26

sources: NVD: CVE-2003-1414 // BID: 6990 // VULHUB: VHN-8239

AFFECTED PRODUCTS

vendor:	apple	model:	quicktime streaming server	scope:	eq	version:	4.1.1	Trust: 1.9
vendor:	apple	model:	darwin streaming server	scope:	eq	version:	4.1.2	Trust: 1.9

sources: BID: 6990 // CNNVD: CNNVD-200312-081 // NVD: CVE-2003-1414

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2003-1414
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200312-081
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-8239
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2003-1414
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-8239
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-8239 // CNNVD: CNNVD-200312-081 // NVD: CVE-2003-1414

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.1

sources: VULHUB: VHN-8239 // NVD: CVE-2003-1414

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200312-081

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-200312-081

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-8239

EXTERNAL IDS

db:	BID	id:	6990	Trust: 2.0
db:	NVD	id:	CVE-2003-1414	Trust: 1.7
db:	SREASON	id:	3260	Trust: 1.7
db:	CNNVD	id:	CNNVD-200312-081	Trust: 0.7
db:	XF	id:	11446	Trust: 0.6
db:	BUGTRAQ	id:	20030228 RE: QUICKTIME/DARWIN STREAMING ADMINISTRATION SERVER MULTIPLE VULNERABILITIES	Trust: 0.6
db:	EXPLOIT-DB	id:	22312	Trust: 0.1
db:	VULHUB	id:	VHN-8239	Trust: 0.1

sources: VULHUB: VHN-8239 // BID: 6990 // CNNVD: CNNVD-200312-081 // NVD: CVE-2003-1414

REFERENCES

url:	http://www.securityfocus.com/bid/6990	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/313517	Trust: 1.7
url:	http://securityreason.com/securityalert/3260	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/11446	Trust: 1.1
url:	http://xforce.iss.net/xforce/xfdb/11446	Trust: 0.6
url:	http://developer.apple.com/darwin/projects/streaming/	Trust: 0.3
url:	/archive/1/313517	Trust: 0.3

sources: VULHUB: VHN-8239 // BID: 6990 // CNNVD: CNNVD-200312-081 // NVD: CVE-2003-1414

CREDITS

Discovery of this vulnerability credited to "Joe Testa" <Joe_Testa@rapid7.com>.

Trust: 0.9

sources: BID: 6990 // CNNVD: CNNVD-200312-081

SOURCES

db:	VULHUB	id:	VHN-8239
db:	BID	id:	6990
db:	CNNVD	id:	CNNVD-200312-081
db:	NVD	id:	CVE-2003-1414

LAST UPDATE DATE

2024-08-14T13:51:17.989000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-8239	date:	2017-07-29T00:00:00
db:	BID	id:	6990	date:	2003-02-28T00:00:00
db:	CNNVD	id:	CNNVD-200312-081	date:	2003-12-31T00:00:00
db:	NVD	id:	CVE-2003-1414	date:	2017-07-29T01:29:10.497

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-8239	date:	2003-12-31T00:00:00
db:	BID	id:	6990	date:	2003-02-28T00:00:00
db:	CNNVD	id:	CNNVD-200312-081	date:	2003-12-31T00:00:00
db:	NVD	id:	CVE-2003-1414	date:	2003-12-31T05:00:00