Debian DSA-2500-1 : mantis - several vulnerabilities

NASLDB: Debian DSA-2500-1 : mantis - several vulnerabilities

General

ID: 59778
Name: Debian DSA-2500-1 : mantis – several vulnerabilities

Summary: Checks dpkg output for the updated package

Credits: –

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Temporal Vector: –

Port: 0
Family: Debian Local Security Checks
Type: Local

Description

Several vulnerabilities were discovered in Mantis, an issue tracking
system.

– CVE-2012-1118
Mantis installation in which the
private_bug_view_threshold configuration option has been
set to an array value do not properly enforce bug
viewing restrictions.

– CVE-2012-1119
Copy/clone bug report actions fail to leave an audit
trail.

– CVE-2012-1120
The delete_bug_threshold/bugnote_allow_user_edit_delete
access check can be bypassed by users who have write
access to the SOAP API.

– CVE-2012-1122
Mantis performed access checks incorrectly when moving
bugs between projects.

– CVE-2012-1123
A SOAP client sending a null password field can
authenticate as the Mantis administrator.

– CVE-2012-2692
Mantis does not check the delete_attachments_threshold
permission when a user attempts to delete an attachment
from an issue.

Exploiting

Exploit Available: –
Exploitability Ease: –

Sources

CVE: CVE-2012-1118
OSVDB: –
Bugtraq: –
scipID: –

Timeline

Vulnerability Disclosure: –
Patch Release: 2012/06/24
Plugin Release: 2012/06/29

Plugin

Version: 1.2
Filename: debian_DSA-2500.nasl
Filesize: 4216 bytes
MD5 Hash: 29f84c5dee8266f2058cd272b16fd6ea

Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l
Dependencies: "ssh_get_info.nasl"

Letzte Plugins

Letzte Plugins

scip AG