VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Jun 16, 2026

CVE-2004-0952

CVE-2004-0952

Description

HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

6
  • Microfocus/Hpux4 versions
    cpe:2.3:o:hp:hp-ux:11.00:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:hp:hp-ux:11.00:*:*:*:*:*:*:*
    • cpe:2.3:o:hp:hp-ux:11.11:*:*:*:*:*:*:*
    • cpe:2.3:o:hp:hp-ux:11.22:*:*:*:*:*:*:*
    • cpe:2.3:o:hp:hp-ux:11.23:*:ia64_64-bit:*:*:*:*:*
  • Microfocus/Ignite UXllm-fuzzy
  • HPE/HP-UXllm-fuzzy
    Range: 11.00 through 11.23

Patches

Vulnerability mechanics

Root cause

"The `add_new_client` command in Ignite-UX causes the TFTP server to create part of its directory tree with world-writable permissions, allowing unauthorized remote modification of data."

Attack vector

An attacker can remotely exploit unsafe file permissions set by the Ignite-UX TFTP server after `add_new_client` is run. The world-writable permissions on directory tree portions allow unauthorized network access to modify client data or consume disk space on the Ignite-UX server. No authentication is required beyond network access to the vulnerable service. [ref_id=1]

Affected code

The vulnerability exists in the Ignite-UX component of HP-UX B.11.00, B.11.11, B.11.22, and B.11.23. The `add_new_client` command combined with the TFTP server causes unsafe file permissions to be set on part of the directory tree, making it world-writable. [ref_id=1]

What the fix does

The fix upgrades Ignite-UX to revision C.6.2.241 or later, which corrects the file permission problem. The advisory directs administrators to install the appropriate depot package from the HP software depot, and no code diff is provided in the bundle. After installing the update and restarting Ignite-UX (and possibly the TFTP service), world-writable directories are no longer created. [ref_id=1]

Preconditions

  • configThe Ignite-UX server must be running on an affected HP-UX version (B.11.00, B.11.11, B.11.22, B.11.23).
  • inputThe TFTP server must be active and the `add_new_client` command must have been executed, creating world-writable directories.
  • networkThe attacker must have network access to the TFTP service on the Ignite-UX server.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.