Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Debian: DSA-2220-1 Critical: Request Tracker Remote Attacks Overview

debian
Calendar Grey April 19, 2011
Scroller Debian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------
Several vulnerabilities were in Request Tracker, an issue tracking system

Summary

Several vulnerabilities were in Request Tracker, an issue tracking
system.

CVE-2011-1685
If the external custom field feature is enabled, Request Tracker
allows authenticated users to execute arbitrary code with the
permissions of the web server, possible triggered by a cross-site
request forgery attack. (External custom fields are disabled by
default.)

CVE-2011-1686
Multiple SQL injection attacks allow authenticated users to obtain
data from the database in an unauthorized way.

CVE-2011-1687
An information leak allows an authenticated privileged user to
obtain sensitive information, such as encrypted passwords, via the
search interface.

CVE-2011-1688
When running under certain web servers (such as Lighttpd), Request
Tracker is vulnerable to a directory traversal attack, allowing
attackers to read any files accessible to the web server. Request
Tracker instances running under Apache or Nginx are not affected.

CVE-2011-1689
Request Tracker con...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Package: request-tracker3.6, request-tracker3.8
CVE ID: CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.