VDB
CVE-2000-1209
CVE-2000-1209
PUBLISHED
KEV
CVSS 10 CRITICAL
The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.
EPSS 88.44% · 99.5th percentile
Risk Scores
CVSS 2.0
10
EPSS Score
88.44%
99.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| compaq | insight_manager | 7.0, 7.0 |
| compaq | insight_manager_xe | 2.1c, 2.2, 1.1 |
| n/a | n/a | n/a |
| microsoft | msde | 2000 |
| microsoft | data_engine | 1.0 |
Timeline
- Aug 10, 2002 CVE Published
- Sep 23, 2010 PoC Published
- Dec 21, 2010 PoC Published
- Feb 8, 2011 PoC Published
- May 29, 2018 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 27, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
References
- http://www.kb.cert.org/vuls/id/635463 patch
- 3570 vdb
- 4797 vdb
- 20000710 MSDE / Re: Default Password Database mailing-list
- mssql-no-sapassword(1459) vdb
- http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp url
- 20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password mailing-list
- 20020522 Opty-Way Enterprise includes MSDE with sa <blank> mailing-list
- Q313418 vendor-advisory
- 20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password mailing-list
- Q321081 vendor-advisory
- 20000815 MS-SQL 'sa' user exploit code mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2000-1209 advisory
- http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081 url
- http://support.microsoft.com/default.aspx?scid=kb;[LN];Q313418 url