Multiple severe vulnerabilities exist in <www-apps/mantisbt-1.2.9 as summarised at [1] (oss-security mailing list, where CVE requests have also been requested). The MantisBT project has released version 1.2.9[2] resolving these vulnerabilities. An urgent bump of the existing version 1.2.8 package in the tree to 1.2.9 and removal of 1.2.8 is requested. [1] http://www.openwall.com/lists/oss-security/2012/03/06/6 [2] http://www.mantisbt.org/blog/?p=156 Reproducible: Always
CVE-2012-1118 MantisBT 1.2.8 10124 array value for $g_private_bug_threshold configuration option allows bypass of access checks CVE-2012-1119 MantisBT 1.2.8 13816 copy/clone bug report action failed to leave an audit trail CVE-2012-1120 MantisBT 1.2.8 13656 elete_bug_threshold/bugnote_allow_user_edit_delete access check bypass via SOAP API CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could update global category settings CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed when moving bugs between projects CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password authentication bypass
Thanks, David!
CVE-2012-1123 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1123): The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password. CVE-2012-1122 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1122): bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project. CVE-2012-1121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1121): MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. CVE-2012-1120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1120): The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes. CVE-2012-1119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1119): MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. CVE-2012-1118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1118): The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports.
This issue was resolved and addressed in GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml by GLSA coordinator Tobias Heinlein (keytoaster).