CVE-2002-0643

Severity

46%

Complexity

39%

Confidentiality

106%

The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows local users to obtain sensitive data, including weakly encrypted passwords, to gain privileges, aka "SQL Server Installation Process May Leave Passwords on System."

The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows local users to obtain sensitive data, including weakly encrypted passwords, to gain privileges, aka "SQL Server Installation Process May Leave Passwords on System."

CVSS 2.0 Base Score 4.6. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Microsoft

First reported 22 years ago

2002-07-23 04:00:00

Last updated 6 years ago

2018-10-12 21:31:00

Affected Software

Microsoft data_engine 1.0

1.0

Microsoft SQLServer 7.0

7.0

Microsoft SQL Server 7.0 Service Pack 1

7.0

Microsoft SQL Server 7.0 Service Pack 2

7.0

Microsoft SQL Server 7.0 Service Pack 3

7.0

Microsoft SQL Server 2000

2000

Microsoft SQLServer 2000 Service Pack 1

2000

Microsoft SQLServer 2000 Service Pack 2

2000

References

20020711 SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file

20020711 SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file

VU#338195

US Government Resource

5203

MS02-035

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.