Debian: DSA-2500-1 Moderate: Mantis Remote Access Issues
debian
June 24, 2012
Several vulnerabilities were discovered in Mantis, am issue tracking system
Topics Covered
Summary
Several vulnerabilities were discovered in Mantis, am issue tracking
system.
CVE-2012-1118
Mantis installation in which the private_bug_view_threshold
configuration option has been set to an array value do not
properly enforce bug viewing restrictions.
CVE-2012-1119
Copy/clone bug report actions fail to leave an audit trail.
CVE-2012-1120
The delete_bug_threshold/bugnote_allow_user_edit_delete
access check can be bypassed by users who have write
access to the SOAP API.
CVE-2012-1122
Mantis performed access checks incorrectly when moving bugs
between projects.
CVE-2012-1123
A SOAP client sending a null password field can authenticate
as the Mantis administrator.
CVE-2012-2692
Mantis does not check the delete_attachments_threshold
permission when a user attempts to delete an attachment from
an issue.
For the stable distribution (squeeze), these problems have been fixed
in version 1.1.8+dfsg-10squeeze2.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have...
PREVIOUS
NEXT
Package: mantis
CVE ID: CVE-2012-1118 CVE-2012-1119 CVE-2012-1120 CVE-2012-1122
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!