CVE-2002-1138

Published: Oct 11, 2002Modified: Apr 16, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs."

Affected (10)

Products: Microsoft: Data Engine, Sql Server

Microsoft

2 products

Data Engine

Sql Server

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Microsoft Data Engine	Version 1.0
Microsoft Data Engine	Version 2000
Microsoft Sql Server	Version 2000
Microsoft Sql Server	Version 2000 sp1
Microsoft Sql Server	Version 2000 sp2
Microsoft Sql Server	Version 7.0
Microsoft Sql Server	Version 7.0 sp1
Microsoft Sql Server	Version 7.0 sp2
Microsoft Sql Server	Version 7.0 sp3
Microsoft Sql Server	Version 7.0 sp4

References (6)

http://www.ciac.org/ciac/bulletins/n-003.shtml

Source: cve@mitre.org

http://www.iss.net/security_center/static/10257.php

Source: cve@mitre.org

Vendor Advisory

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-056

Source: cve@mitre.org

http://www.ciac.org/ciac/bulletins/n-003.shtml

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.iss.net/security_center/static/10257.php

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-056

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.