Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 407121 (CVE-2012-1118)

Summary: <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{1118,1119,1120,1121,1122,1123})
Product: Gentoo Security Reporter: David Hicks <david>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: pva, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 420375    
Bug Blocks:    

Description David Hicks 2012-03-06 14:20:27 UTC
Multiple severe vulnerabilities exist in <www-apps/mantisbt-1.2.9 as summarised at [1] (oss-security mailing list, where CVE requests have also been requested).

The MantisBT project has released version 1.2.9[2] resolving these vulnerabilities.

An urgent bump of the existing version 1.2.8 package in the tree to 1.2.9 and removal of 1.2.8 is requested.


Reproducible: Always
Comment 1 David Hicks 2012-03-06 22:31:57 UTC
CVE-2012-1118 MantisBT 1.2.8 10124 array value for
$g_private_bug_threshold configuration option allows bypass of access

CVE-2012-1119 MantisBT 1.2.8 13816 copy/clone bug report action failed
to leave an audit trail

CVE-2012-1120 MantisBT 1.2.8 13656
elete_bug_threshold/bugnote_allow_user_edit_delete access check bypass

CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could
update global category settings

CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed
when moving bugs between projects

CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password
authentication bypass
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-03-07 02:04:26 UTC
Thanks, David!
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:24:23 UTC
CVE-2012-1123 (
  The mci_check_login function in api/soap/mc_api.php in the SOAP API in
  MantisBT before 1.2.9 allows remote attackers to bypass authentication via a
  null password.

CVE-2012-1122 (
  bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the
  report_bug_threshold permission of the receiving project when moving a bug
  report, which allows remote authenticated users with the
  report_bug_threshold and move_bug_threshold privileges for a project to
  bypass intended access restrictions and move bug reports to a different

CVE-2012-1121 (
  MantisBT before 1.2.9 does not properly check permissions, which allows
  remote authenticated users with manager privileges to (1) modify or (2)
  delete global categories.

CVE-2012-1120 (
  The SOAP API in MantisBT before 1.2.9 does not properly enforce the
  bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which
  allows remote authenticated users with read and write SOAP API privileges to
  delete arbitrary bug reports and bug notes.

CVE-2012-1119 (
  MantisBT before 1.2.9 does not audit when users copy or clone a bug report,
  which makes it easier for remote attackers to copy bug reports without

CVE-2012-1118 (
  The access_has_bug_level function in core/access_api.php in MantisBT before
  1.2.9 does not properly restrict access when the private_bug_view_threshold
  is set to an array, which allows remote attackers to bypass intended
  restrictions and perform certain operations on private bug reports.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-11-08 10:42:59 UTC
This issue was resolved and addressed in
 GLSA 201211-01 at
by GLSA coordinator Tobias Heinlein (keytoaster).