CVE-2008-0379 : Race condition in the Enterprise Tree ActiveX control (EnterpriseControls.dll 11.5.0.313) in Crystal Reports XI Release

Race condition in the Enterprise Tree ActiveX control (EnterpriseControls.dll 11.5.0.313) in Crystal Reports XI Release 2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SelectedSession method, which triggers a buffer overflow.

Published 2008-01-22 20:00:00

Updated 2024-02-02 17:06:56

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute codeDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2008-0379

Probability of exploitation activity in the next 30 days: 1.68%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2008-0379

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2008-0379

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: nvd@nist.gov (Primary)
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-0379

https://exchange.xforce.ibmcloud.com/vulnerabilities/39743

Crystal Reports XI Release 2 (Enterprise Tree Control) ActiveX buffer overflow CVE-2008-0379 Vulnerability Report
Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/4931

Crystal Reports XI Release 2 (Enterprise Tree Control) - ActiveX Buffer Overflow (Denial of Service) (PoC) - Windows dos Exploit
Exploit;Third Party Advisory;VDB Entry
http://www.securitytracker.com/id?1019239

GoDaddy Domain Name Search
Broken Link;Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/27333

Broken Link;Exploit;Third Party Advisory;VDB Entry

Products affected by CVE-2008-0379

Businessobjects » Crystal Reports Xi » Version: R2
cpe:2.3:a:businessobjects:crystal_reports_xi:r2:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2008-0379

Exploit prediction scoring system (EPSS) score for CVE-2008-0379

CVSS scores for CVE-2008-0379

CWE ids for CVE-2008-0379

References for CVE-2008-0379

Products affected by CVE-2008-0379