Vulnerability Description
The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Sap Db | 7.3.00 |
References
- http://listserv.sap.com/pipermail/sapdb.sources/2003-April/000143.html
- http://marc.info/?l=bugtraq&m=105103613727471&w=2
- http://www.securityfocus.com/bid/7407PatchVendor Advisory
- http://www.securityfocus.com/bid/7408
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11842
- http://listserv.sap.com/pipermail/sapdb.sources/2003-April/000143.html
- http://marc.info/?l=bugtraq&m=105103613727471&w=2
- http://www.securityfocus.com/bid/7407PatchVendor Advisory
- http://www.securityfocus.com/bid/7408
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11842
FAQ
What is CVE-2003-1033?
CVE-2003-1033 is a vulnerability with a CVSS score of 7.2 (HIGH). The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program...
How severe is CVE-2003-1033?
CVE-2003-1033 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2003-1033?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Sap Db.