CVE-2002-1138
First published: Fri Oct 11 2002(Updated: )
Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft SQL Server Data Engine (MSDE) | =1.0 | |
| Microsoft SQL Server Data Engine (MSDE) | =2000 | |
| Microsoft SQL Server | =7.0 | |
| Microsoft SQL Server | =7.0-sp1 | |
| Microsoft SQL Server | =7.0-sp2 | |
| Microsoft SQL Server | =7.0-sp3 | |
| Microsoft SQL Server | =7.0-sp4 | |
| Microsoft SQL Server | =2000 | |
| Microsoft SQL Server | =2000-sp1 | |
| Microsoft SQL Server | =2000-sp2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2002-1138?
CVE-2002-1138 is categorized as a high severity vulnerability due to its potential to allow attackers to overwrite system files.
How do I fix CVE-2002-1138?
To mitigate CVE-2002-1138, users should apply the latest security patches provided by Microsoft for SQL Server and MSDE.
What impact does CVE-2002-1138 have on my system?
CVE-2002-1138 allows attackers to execute jobs under elevated privileges, which can lead to unauthorized access and modification of critical files.
Which software versions are affected by CVE-2002-1138?
CVE-2002-1138 affects Microsoft SQL Server 7.0, Microsoft SQL Server 2000, Microsoft Data Engine 1.0, and Microsoft Desktop Engine 2000.
Who can be attacked using CVE-2002-1138?
CVE-2002-1138 poses a risk to any user with access to execute scheduled jobs on vulnerable Microsoft SQL Server or MSDE installations.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/microsoft
- product/sql server
- canonical/microsoft sql server
- product/data engine
- canonical/microsoft data engine
- canonical/microsoft sql server data engine (msde)
- version/microsoft sql server data engine (msde)/1.0
- version/microsoft sql server data engine (msde)/2000
- version/microsoft sql server/7.0
- version/microsoft sql server/7.0-sp1
- version/microsoft sql server/7.0-sp2
- version/microsoft sql server/7.0-sp3
- version/microsoft sql server/7.0-sp4
- version/microsoft sql server/2000
- version/microsoft sql server/2000-sp1
- version/microsoft sql server/2000-sp2