Andreas Tscharner

**Name of the Vulnerable Software and Affected Versions** CVSNT versions 2.0.58, 2.5.01, 2.5.02, 2.5.03 before build 3736, 2.5.04 before build 2862 CVS Suite versions 2.5.03, 2008 before build 3736, and 2009 before 3729 **Description** The issue allows remote attackers to bypass the permissions check, modify arbitrary modules and directories within CVSROOT, and execute arbitrary code via a crafted branch name ACL. This is possibly related to incorrect inheritance. Multiple vulnerabilities in the cvsnt package of the Debian GNU/Linux operating system can be exploited remotely, leading to a violation of confidentiality, integrity, and availability of protected information. **Recommendations** For CVSNT versions 2.0.58, 2.5.01, 2.5.02, 2.5.03 before build 3736, and 2.5.04 before build 2862, update to a version with build 3736 or later for 2.5.03, and build 2862 or later for 2.5.04. For CVS Suite versions 2.5.03, 2008 before build 3736, and 2009 before 3729, update to a version with build 3736 or later for 2008, and build 3729 or later for 2009. As a temporary workaround, consider restricting access to the CVSROOT directory to minimize the risk of exploitation.