Description
The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Tanaka Akira · textlocalunix
https://www.exploit-db.com/exploits/20108
References (2)
Core 2
Core References
Exploit, Vendor Advisory mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
Exploit, Patch, Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/1524
Scores
EPSS
0.0036
EPSS Percentile
58.4%
Details
Status
published
Products (1)
cvs/cvs
1.10.8
Published
Oct 20, 2000
Tracked Since
Feb 18, 2026