CVE-2010-0935 in Serverinfo

Summary

by MITRE

Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/01/2026

The vulnerability described in CVE-2010-0935 represents a critical access control flaw within Perforce Server versions 2009.2 and earlier. This issue specifically manifests when the protection table configuration is empty or improperly maintained, creating a security loophole that enables authenticated attackers to escalate their privileges to superuser level. The vulnerability stems from the server's failure to properly validate access controls when no explicit protection rules are defined, allowing malicious users to exploit this configuration gap through legitimate administrative commands.

The technical exploitation occurs through the "p4 protect" command, which is typically used to manage protection rules within the Perforce system. When the protection table is empty, the server fails to enforce proper authorization checks, enabling authenticated users to manipulate their privileges. This flaw operates under CWE-284, which addresses improper access control, and specifically demonstrates how weak access control mechanisms can be bypassed through command execution manipulation. The vulnerability's exploitation path involves leveraging the legitimate administrative interface to issue commands that should normally be restricted to superusers, but due to the empty protection table, these commands are executed with elevated privileges.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally undermines the security model of the Perforce version control system. An authenticated attacker who successfully exploits this vulnerability gains complete administrative control over the Perforce server, potentially allowing them to modify or delete versioned files, manipulate user permissions, access confidential source code repositories, and perform other malicious activities that could compromise the entire software development environment. This represents a significant risk to organizations relying on Perforce for source code management, as the compromise of a single authenticated account could lead to complete system takeover.

Organizations should implement immediate mitigations including updating to Perforce Server versions that address this vulnerability, implementing proper protection table configurations with explicit access controls, and conducting regular audits of protection settings. The vulnerability aligns with ATT&CK technique T1068, which covers "Exploitation for Privilege Escalation," and organizations should consider implementing network segmentation to limit access to Perforce servers and establish robust monitoring for unauthorized privilege escalation attempts. Additionally, security administrators should ensure that all protection table configurations are properly maintained and regularly reviewed to prevent similar issues from occurring in other systems that may exhibit similar access control weaknesses.

Reservation

03/05/2010

Disclosure

03/05/2010

Moderation

accepted

Entry

VDB-52092

CPE

ready

EPSS

0.01573

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!