CVE-2010-0005 in ViewVCinfo

Summary

by MITRE

query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/29/2026

The vulnerability described in CVE-2010-0005 affects ViewVC versions prior to 1.1.3, specifically within the query.py component of the query interface. This flaw represents a critical authorization bypass issue that undermines the security controls designed to protect repository access. The vulnerability stems from insufficient validation mechanisms within the configuration parsing logic, allowing malicious actors to exploit improperly configured authorizer settings.

The technical implementation flaw occurs when the query.py script processes configuration files that specify unsupported authorizers for root directories. In normal operation, ViewVC should validate that authorizer types are supported and properly configured before applying access controls. However, the pre-1.1.3 versions of ViewVC fail to reject invalid authorizer configurations, creating a scenario where attackers can manipulate query parameters to circumvent intended access restrictions. This represents a classic case of insufficient input validation and configuration sanitization.

The operational impact of this vulnerability is significant as it allows remote attackers to bypass access controls that should restrict repository access based on user permissions. An attacker could construct specific queries that exploit the misconfigured authorizer settings to gain unauthorized access to protected repository content. This vulnerability particularly affects environments where ViewVC is used to serve version control repositories with strict access controls, potentially exposing sensitive source code, configuration files, or other proprietary information to unauthorized parties.

This vulnerability aligns with CWE-284, which describes improper access control issues, and represents a failure in authorization validation. The attack vector can be classified under ATT&CK technique T1078 for valid accounts and T1566 for social engineering through query manipulation. Organizations using vulnerable versions of ViewVC should immediately implement the patch released in version 1.1.3, which properly validates authorizer configurations and rejects unsupported settings. Additionally, administrators should conduct thorough configuration reviews to ensure all authorizer settings are properly validated and that no unsupported configurations exist in their ViewVC deployments.

Reservation

12/14/2009

Disclosure

01/29/2010

Moderation

accepted

Entry

VDB-51710

CPE

ready

EPSS

0.01688

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!