SWATCH events that have been "throttled" may fail to be reported at a later date
|swatch-event-reporting-failure (9100)||Low Risk|
When the same event occurs multiple times in SWATCH, a "throttle" can be placed on the event to prevent multiple alerts. A vulnerability in the "throttle" code in SWATCH versions 3.0.3 and 3.0.4 could cause certain events that have been "throttled" to go unreported when they occur the next month.
No remedy available as of September 1, 2014.
- BugTraq Mailing List, Wed May 15 2002 - 07:48:40 CDT: swatch bug in throttle.
- SWATCH Web site: SWATCH: The Simple WATCHer.
- BID-4746: Swatch Throttled Event Reporting Vulnerability
- CVE-2002-0896: The throttle capability in Swatch may fail to report certain events if (1) the same type of event occurs after the throttle period, or (2) when multiple events matching the same watchfor expression do not occur after the throttle period, which could allow attackers to avoid detection.
- OSVDB ID: 14447: Swatch Throttled Events Notification Bypass
- Todd Atkins SWATCH 3.0.3
- Todd Atkins Swatch 3.0.4
May 15, 2002