CVE-2004-0333

Current Description

Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters.

Evaluator Description

This was fixed in WinZip 8.1 SR-2 in March of 2004. You can find more information on the subject on the following pages of the winzip site:http://www.winzip.com/wz81sr2.htmhttp://www.winzip.com/fmwz90.htm

Basic Data

PublishedNovember 23, 2004
Last ModifiedJuly 11, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score10.0
SeverityHIGH
Exploitability Score10.0
Impact Score10.0
Obtain All Privilegetrue
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOpenpkgOpenpkg********
    2.3ApplicationUudeviewUudeview0.5.18*******
    2.3ApplicationUudeviewUudeview0.5.19*******
    2.3ApplicationWinzipWinzip7.0*******
    2.3ApplicationWinzipWinzip8.0*******
    2.3ApplicationWinzipWinzip8.1*******
    2.3ApplicationWinzipWinzip8.1sr1******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSGentooLinux1.4*******
    2.3OSGentooLinux1.4rc1******
    2.3OSGentooLinux1.4rc2******
    2.3OSGentooLinux1.4rc3******

Vulnerable Software List

VendorProductVersions
Openpkg Openpkg *
Winzip Winzip 7.0, 8.0, 8.1
Uudeview Uudeview 0.5.18, 0.5.19
Gentoo Linux 1.4

References

NameSourceURLTags
10995http://secunia.com/advisories/10995SECUNIA
11019http://secunia.com/advisories/11019SECUNIA
O-092http://www.ciac.org/ciac/bulletins/o-092.shtmlCIAC
20040227 WinZip MIME Parsing Buffer Overflow Vulnerabilityhttp://www.idefense.com/application/poi/display?id=76&type=vulnerabiliti&flashstatus=trueIDEFENSE
VU#116182http://www.kb.cert.org/vuls/id/116182CERT-VNThird Party Advisory US Government Resource
http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.htmlhttp://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.htmlCONFIRM
4119http://www.osvdb.org/4119OSVDB
9758http://www.securityfocus.com/bid/9758BIDExploit PATCH Vendor Advisory
http://www.winzip.com/fmwz90.htmhttp://www.winzip.com/fmwz90.htmCONFIRM
winzip-mime-bo(15336)https://exchange.xforce.ibmcloud.com/vulnerabilities/15336XF
uudeview-multiple-bo(15490)https://exchange.xforce.ibmcloud.com/vulnerabilities/15490XF