CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/10955 | patch vdb entry vendor advisory broken link third party advisory |
| http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:108 | vendor advisory broken link |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10688 | signature vdb entry broken link |
| http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities | vendor advisory broken link third party advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/17001 | third party advisory vdb entry |
| http://www.kb.cert.org/vuls/id/579225 | patch third party advisory us government resource |