CVE-2008-1054

CVSS V2 Medium 6.4 CVSS V3 None
Description
Stack-based buffer overflow in the _lib_spawn_user_getpid function in (1) swatch.exe and (2) surgemail.exe in NetWin SurgeMail 38k4 and earlier, and beta 39a, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via an HTTP request with multiple long headers to webmail.exe and unspecified other CGI executables, which triggers an overflow when assigning values to environment variables. NOTE: some of these details are obtained from third party information.
Overview
  • CVE ID
  • CVE-2008-1054
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2008-02-27T19:44:00
  • Last Modified Date
  • 2018-10-11T20:29:11
Weakness Enumerations
CWE URL
CWE-119 http://cwe.mitre.org/data/definitions/119.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:netwin:surgemail:1.8a:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:1.8b3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:1.8d:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:1.8e:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:1.8g3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:1.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:1.9b2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.0a2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.0c:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.0e:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.0g2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.1a:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.1c7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.2a6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.2c9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.2c10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.2g2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:2.2g3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.0a:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.0c2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.1s:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.8f3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.8i:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.8i2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:3.8i3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:38k:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netwin:surgemail:38k4:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 6.4
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 4.9
References
Reference URL Reference Tags
http://aluigi.altervista.org/adv/surgemailz-adv.txt Exploit
http://www.securityfocus.com/bid/27992 Exploit
http://secunia.com/advisories/29105 Vendor Advisory
http://www.securitytracker.com/id?1019500
http://securityreason.com/securityalert/3705
http://www.vupen.com/english/advisories/2008/0678
https://exchange.xforce.ibmcloud.com/vulnerabilities/40834
http://www.securityfocus.com/archive/1/488741/100/0/threaded
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2008-1054
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1054
History
Created Old Value New Value Data Type Notes
2022-05-10 18:29:56 Added to TrackCVE