LiveActive security incident?Get immediate response
CVE Record

CVE-2000-0803: GNU Groff uses the current working directory to find a device description file, which allows a local user t...

GNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2000-0803 describes a GNU Groff local privilege issue. Groff may look in the current working directory for a device description file, allowing a local user to influence execution when another user runs Groff. The source bundle does not identify affected versions, patch status, or active exploitation.

Executive priority

Do not treat this as an internet-facing emergency based on the bundle. Prioritize it during legacy system and shared-host hardening, especially where local users have shell access or where privileged automation runs Groff.

Technical view

The flaw involves GNU Groff device description file lookup from the current working directory. A malicious local file could include a postpro directive that Groff executes under the context of another user running Groff. No CVSS, CWE, version range, or vendor fix details are provided in the bundle.

Likely exposure

Exposure is most plausible on legacy Unix/Linux systems where GNU Groff is installed and multiple local users share writable directories, shell access, or build/documentation workflows. The provided affected-product data is marked n/a, so version-specific exposure cannot be confirmed from the bundle.

Exploitation context

The CVE describes local privilege gain, not remote exploitation. It requires local placement or influence over files in a working directory used by another Groff-running user. CISA KEV status is false, and the bundle provides no evidence of active exploitation.

Researcher notes

Evidence is sparse. The source bundle confirms the vulnerable behavior and local privilege impact, but not affected versions, fixed versions, CVSS, CWE, or exploit prevalence. Further analysis should start with distribution advisories and historical GNU Groff package changelogs.

Mitigation direction

  • Inventory systems with GNU Groff installed, especially shared or legacy Unix/Linux hosts.
  • Check operating system and GNU Groff vendor guidance for fixed package versions.
  • Restrict untrusted local users from shared writable working directories used by privileged workflows.
  • Avoid running Groff from directories writable by lower-privileged users.
  • Treat affected shared hosts as higher priority than single-user workstations.

Validation and detection

  • Confirm whether GNU Groff is installed on managed systems.
  • Identify hosts where multiple local users can write to shared working directories.
  • Review documentation, build, or print workflows that run Groff with elevated privileges.
  • Check vendor package changelogs for CVE-2000-0803 remediation references.
  • Record uncertainty where package version mapping is unavailable.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2000-0803 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.