CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 1777 | CVE-2000-0199 | Candidate | When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password. | Proposed (20000322) | ACCEPT(6) Baker, Blake, Cole, Levy, Ozancin, Wall | MODIFY(1) Frech | REVIEWING(2) Christey, LeBlanc | LeBlanc> I think this may just be user error - I"d like more information. | Frech> XF:mssql-weak-encryption | ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store | Administrative Login ID | URL:http://xforce.iss.net/alerts/advise45.php3 | Christey> According to Scott Culp, this can only be reproduced if the | SQL server is running in an unsafe mode that is not | recommended by Microsoft: "To securely use SQL Server, | Microsoft recommends using Windows Integrated Security. In | Windows Integrated Security mode passwords are never stored, | as your Windows Domain sign-on is used as the security | identifier to the database server." | | We still must consider approving this candidate, however, as a | user configuration error instead of a software flaw. | CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we | decide to include configuration problems in which a user | intentionally selects weak encryption, then we might still | approve this candidate. | View |
| 2156 | CVE-2000-0580 | Candidate | Windows 2000 Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros to various TCP and UDP ports, which significantly increases the CPU utilization. | Proposed (20000719) | ACCEPT(3) Cole, Frech, Levy | REJECT(2) LeBlanc, Magdych | REVIEWING(1) Wall | LeBlanc> Insufficient data. Most of their claims are not reproducible. You can, | however, DoS the telnet server this way. As far as I know, there is no repro | on any of the other ports. I am not sure of fix status at this time | (7/19/00). Also overlaps with CVE-2000-0581 | CHANGE> [Magdych changed vote from REVIEWING to REJECT] | Magdych> The only independent verification of these claims I have heard is for the Telnet denial of service, which is already defined in CVE candidate CVE-2000-0581. | Frech> Replace win2k-cpu-overload-dos(4824) with win2k-telnetserver-dos(4823) | View |
| 3145 | CVE-2001-0324 | Candidate | Windows 98 and Windows 2000 Java clients allow remote attackers to cause a denial of service via a Java applet that opens a large number of UDP sockets, which prevents the host from establishing any additional UDP connections, and possibly causes a crash. | Proposed (20010404) | MODIFY(1) Frech | NOOP(2) Cole, Ziese | RECAST(1) LeBlanc | REVIEWING(3) Baker, Bishop, Wall | LeBlanc> Sun"s Java specification does not provide for limits on the | number of sockets that can be opened. We didn"t write the spec, we just | implemented it. Aside from the issue of EX-CLIENT-DOS issues noted in my | comments on CVE-2001-0322, the vuln would need to be recast to show that | the actual problem lies in Java. If the description is recast to show | that the issue is in Sun"s Java specification, then please change my | vote to NOOP, as per the "don"t vote on issues with other vendors" rule. | Frech> XF:win-udp-dos(6070) | View |
| 1993 | CVE-2000-0415 | Candidate | Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or .bmp attachment with a long file name. | Proposed (20000615) | ACCEPT(3) Levy, Ozancin, Wall | MODIFY(1) Frech | NOOP(3) Christey, Cole, Stracener | REJECT(1) LeBlanc | LeBlanc> The poster re-discovered a vulnerability we patched two years | ago, in | http://www.microsoft.com/technet/security/bulletin/ms98-008.asp | Microsoft posted a response to BugTraq when this one went | public, and reminded them that we"d already patched it. | | BTW, I think we want to try and pay attention to follow-ups to | these threads in order to minimize noise in the process. | Christey> Based on David"s comments, this is covered by CVE-1999-0002. | However, that candidate may wind up being SPLIT, so I will | keep this one around for the moment. | | With respect to watching followups, we are relying quite | a bit on other data feeds instead of doing our own reviews | of all the different data sources. The data feeds may report | these problems as new before corrections are posted. | Followups do often lend additional information to the | candidates, and as is the case with this one, we will | often catch the discrepancy before the candidate becomes an | official entry, whether by MITRE"s own analysis or by that | of other Board members. | Frech> XF:outlook-image-long-filename | View |
| 603 | CVE-1999-0621 | Candidate | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running." | Modified (20080731) | ACCEPT(2) Baker, Wall | MODIFY(1) Frech | REJECT(2) LeBlanc, Northcutt | LeBlanc> There is insufficient description to even know what this is. | Lots of component services related to NetBIOS run, and usually do not | constitute a problem. | Frech> associated to: | XF:nt-alerter(29) | XF:nt-messenger(69) | XF:reg-ras-gateway-enabled(2567) | View |
Page 20911 of 20943, showing 5 records out of 104715 total, starting on record 104551, ending on 104555
