Summary: | www-apps/mantisbt: Null byte poisoning issue with LDAP authentication (CVE-2014-6387) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | david, proxy-maint, pva, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q3/590 | ||
Whiteboard: | B3 [ebuild] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 531896 | ||
Bug Blocks: |
Description
Kristian Fiskerstrand (RETIRED)
2014-09-12 14:08:54 UTC
CVE-2014-6387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6387): gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. This is fixed in version: 1.2.18 http://www.mantisbt.org/bugs/view.php?id=17640 Multiple vulnerabilities spread across 9 different bugs. No movement from maintainers in over a year. Package removed |