mantisbt : multiple vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fedora |
Fix Released
|
Low
|
|||
Gentoo Linux |
Fix Released
|
Low
|
|||
mantis (Debian) |
Fix Released
|
Unknown
|
|||
mantis (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
MantisBT 1.2.11 is a security update for the stable 1.2.x branch.
CVE requests for 2 issues have been sent to <email address hidden> as follows:
CVE REQUEST #1
Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description:
Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.
References:
[1] http://
CVE REQUEST #2
Title: delete_
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description:
Roland Becker (MantisBT developer) found that the
delete_
user attempted to delete an attachment from an issue. The more generic
update_
administrators may have been under the false impression that their
configuration of the delete_
preventing unwanted users from deleting attachments.
References:
[1] http://
affects: | mantis (Fedora) → fedora |
visibility: | private → public |
Changed in mantis (Debian): | |
status: | Unknown → Fix Released |
Changed in gentoo: | |
importance: | Unknown → Low |
Changed in gentoo: | |
status: | Unknown → Fix Released |
Changed in fedora: | |
importance: | Unknown → Low |
status: | Unknown → Fix Released |
MantisBT 1.2.11 is a security update for the stable 1.2.x branch.
CVE requests for 2 issues have been sent to <email address hidden> as follows:
CVE REQUEST #1
Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description:
Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.
References: www.mantisbt. org/bugs/ view.php? id=14340
[1] http://
CVE REQUEST #2
Title: delete_ attachments_ threshold not checked on attachment deletion
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description: attachments_ threshold permission was not being checked when a bug_threshold permission was being checked instead. MantisBT attachments_ threshold was successfully
Roland Becker (MantisBT developer) found that the
delete_
user attempted to delete an attachment from an issue. The more generic
update_
administrators may have been under the false impression that their
configuration of the delete_
preventing unwanted users from deleting attachments.
References: www.mantisbt. org/bugs/ view.php? id=14016
[1] http://
Reproducible: Always