Vulnerability Description
The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows local users to obtain sensitive data, including weakly encrypted passwords, to gain privileges, aka "SQL Server Installation Process May Leave Passwords on System."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Data Engine | 1.0 |
| Microsoft | Sql Server | 7.0 |
References
- http://marc.info/?l=bugtraq&m=102640092826731&w=2
- http://marc.info/?l=vuln-dev&m=102640394131103&w=2
- http://www.kb.cert.org/vuls/id/338195US Government Resource
- http://www.securityfocus.com/bid/5203
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-03
- http://marc.info/?l=bugtraq&m=102640092826731&w=2
- http://marc.info/?l=vuln-dev&m=102640394131103&w=2
- http://www.kb.cert.org/vuls/id/338195US Government Resource
- http://www.securityfocus.com/bid/5203
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-03
FAQ
What is CVE-2002-0643?
CVE-2002-0643 is a vulnerability with a CVSS score of 4.6 (MEDIUM). The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows loca...
How severe is CVE-2002-0643?
CVE-2002-0643 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2002-0643?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Data Engine, Microsoft Sql Server.