[VIM] duplicative CVE numbers on MS SQL vuln?
Steven M. Christey
coley at linus.mitre.org
Tue Dec 30 18:45:00 UTC 2008
On Mon, 22 Dec 2008, Stuart Moore wrote:
> Hi. Anyone know if today's CVE-2008-4270 (Microsoft SQL Server) is the
> same as the previously reported CVE-2008-5416 (Microsoft SQL Server, as
> disclosed by SEC Consult)?
Microsoft just confirmed that these are the same. We'll be using
CVE-2008-5416 instead of the Microsoft-assigned CVE-2008-4270.
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-5416. Reason:
This candidate is a duplicate of CVE-2008-5416. Notes: All CVE users
should reference CVE-2008-5416 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Reference: BUGTRAQ:20081209 SEC Consult SA-20081109-0 :: Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability
Heap-based buffer overflow in Microsoft SQL Server 2000 8.00.2050,
8.00.2039, and earlier allows remote authenticated users to cause a
denial of service (access violation exception) or execute arbitrary
code by calling the sp_replwritetovarbin extended stored procedure
with a set of crafted parameters that trigger memory overwrite. NOTE:
it was later reported that SQL Server 2005 9.00.1399.06 is also
More information about the VIM