Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 526
Alerts This Week
Warning Icon 1 526

Debian 9: DSA-3882-1 Critical: Request Tracker Remote Code Execution

debian
Calendar Grey June 15, 2017
Debian Logo
Alert regarding major security flaws in Request Tracker that jeopardize user data; suggested patch now accessible.
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system

Summary

CVE-2016-6127

It was discovered that Request Tracker is vulnerable to a cross-site
scripting (XSS) attack if an attacker uploads a malicious file with
a certain content type. Installations which use the
AlwaysDownloadAttachments config setting are unaffected by this
flaw. The applied fix addresses all existant and future uploaded
attachments.

CVE-2017-5361

It was discovered that Request Tracker is vulnerable to timing
side-channel attacks for user passwords.

CVE-2017-5943

It was discovered that Request Tracker is prone to an information
leak of cross-site request forgery (CSRF) verification tokens if a
user is tricked into visiting a specially crafted URL by an
attacker.


CVE-2017-5944

It was discovered that Request Tracker is prone to a remote code
execution vulnerability in the dashboard subscription interface. A
privileged attacker can take advantage of this flaw through
carefully-crafted saved search names to cause unexpected code to be
...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Package: request-tracker4
CVE ID: CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.