SWATCH events that have been "throttled" may fail to be reported at a later date

swatch-event-reporting-failure (9100) The risk level is classified as LowLow Risk


When the same event occurs multiple times in SWATCH, a "throttle" can be placed on the event to prevent multiple alerts. A vulnerability in the "throttle" code in SWATCH versions 3.0.3 and 3.0.4 could cause certain events that have been "throttled" to go unreported when they occur the next month.




No remedy available as of September 1, 2014.


  • BugTraq Mailing List, Wed May 15 2002 - 07:48:40 CDT: swatch bug in throttle.
  • SWATCH Web site: SWATCH: The Simple WATCHer.
  • BID-4746: Swatch Throttled Event Reporting Vulnerability
  • CVE-2002-0896: The throttle capability in Swatch may fail to report certain events if (1) the same type of event occurs after the throttle period, or (2) when multiple events matching the same watchfor expression do not occur after the throttle period, which could allow attackers to avoid detection.
  • OSVDB ID: 14447: Swatch Throttled Events Notification Bypass

Platforms Affected:

  • Todd Atkins SWATCH 3.0.3
  • Todd Atkins Swatch 3.0.4


May 15, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page