Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument.
Conclusion & alert: CVE-2002-0218 is rated Low Risk (33.6/100): CVSS High severity, with low exploitation likelihood (EPSS 0.05%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2023-03-07 | 1.75% | 0.05% | -1.70% |
| 2 | 2022-02-04 | — | 1.75% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.2 | 2.0 | HIGH |
|
3.9 | 10.0 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| sas | sas_base | 8.0 | cpe:2.3:a:sas:sas_base:8.0:*:*:*:*:*:*:* |
| sas | sas_base | 8.1 | cpe:2.3:a:sas:sas_base:8.1:*:*:*:*:*:*:* |
| sas | sas_integration_technologies | 8.0 | cpe:2.3:a:sas:sas_integration_technologies:8.0:*:*:*:*:*:*:* |
| sas | sas_integration_technologies | 8.1 | cpe:2.3:a:sas:sas_integration_technologies:8.1:*:*:*:*:*:*:* |