CVE-2004-0884
cyrus-sasl-mit - unsanitised input
EPSS 0.51%
Description
The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
How to fix CVE-2004-0884
To remediate CVE-2004-0884, upgrade the affected package to a fixed version below.
- Debian/cyrus-sasl—upgrade to 1.5.27-3.1woody5 or later
- Debian/cyrus-sasl2—upgrade to 2.1.19-1.3 or later
- —upgrade to 1.5.24-15woody3 or later
Is CVE-2004-0884 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.5.27-3.1woody5
- from 0, < 2.1.19-1.3
- from 0, < 1.5.24-15woody3