Debian 7 DLA-987-1 Critical: Request Tracker Remote Code Execution
debian lts
June 15, 2017
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system
Topics Covered
Summary
It was discovered that Request Tracker is vulnerable to a cross-site
scripting (XSS) attack if an attacker uploads a malicious file with
a certain content type. Installations which use the
AlwaysDownloadAttachments config setting are unaffected by this
flaw. The applied fix addresses all existant and future uploaded
attachments.
CVE-2017-5361
It was discovered that Request Tracker is vulnerable to timing
side-channel attacks for user passwords.
CVE-2017-5943
It was discovered that Request Tracker is prone to an information
leak of cross-site request forgery (CSRF) verification tokens if a
user is tricked into visiting a specially crafted URL by an
attacker.
CVE-2017-5944
It was discovered that Request Tracker is prone to a remote code
execution vulnerability in the dashboard subscription interface. A
privileged attacker can take advantage of this flaw through
carefully-crafted saved search names to cause unexpected code to be
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
<pre><font face="Courier">Package: request-tracker4
Version: 4.0.7-5+deb7u5
CVE ID: CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!