CVE-2002-1138

Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs."

Published: Oct 11, 2002
Updated: Apr 13, 2023
CVE: CVE-2002-1138
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
microsoft / sql_server	7.0-sp1	7.0-sp1.x
microsoft / sql_server	2000-sp2	2000-sp2.x
microsoft / sql_server	7.0	7.0.x
microsoft / data_engine	1.0	1.0.x
microsoft / sql_server	2000	2000.x
microsoft / sql_server	2000-sp1	2000-sp1.x
microsoft / data_engine	2000	2000.x
microsoft / sql_server	7.0-sp3	7.0-sp3.x
microsoft / sql_server	7.0-sp4	7.0-sp4.x
microsoft / sql_server	7.0-sp2	7.0-sp2.x

http://www.ciac.org/ciac/bulletins/n-003.shtml
http://www.iss.net/security_center/static/10257.php
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-056

Vulnerability Database

289,599

CVE-2002-1138