Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 407121 (CVE-2012-1118) - <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{1118,1119,1120,1121,1122,1123})
Summary: <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{1118,1119,1120...
Status: RESOLVED FIXED
Alias: CVE-2012-1118
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [glsa]
Keywords:
Depends on: CVE-2012-2691
Blocks:
  Show dependency tree
 
Reported: 2012-03-06 14:20 UTC by David Hicks
Modified: 2012-11-08 10:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Hicks 2012-03-06 14:20:27 UTC
Multiple severe vulnerabilities exist in <www-apps/mantisbt-1.2.9 as summarised at [1] (oss-security mailing list, where CVE requests have also been requested).

The MantisBT project has released version 1.2.9[2] resolving these vulnerabilities.

An urgent bump of the existing version 1.2.8 package in the tree to 1.2.9 and removal of 1.2.8 is requested.

[1] http://www.openwall.com/lists/oss-security/2012/03/06/6
[2] http://www.mantisbt.org/blog/?p=156

Reproducible: Always
Comment 1 David Hicks 2012-03-06 22:31:57 UTC
CVE-2012-1118 MantisBT 1.2.8 10124 array value for
$g_private_bug_threshold configuration option allows bypass of access
checks

CVE-2012-1119 MantisBT 1.2.8 13816 copy/clone bug report action failed
to leave an audit trail

CVE-2012-1120 MantisBT 1.2.8 13656
elete_bug_threshold/bugnote_allow_user_edit_delete access check bypass
via SOAP API

CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could
update global category settings

CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed
when moving bugs between projects

CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password
authentication bypass
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-03-07 02:04:26 UTC
Thanks, David!
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:24:23 UTC
CVE-2012-1123 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1123):
  The mci_check_login function in api/soap/mc_api.php in the SOAP API in
  MantisBT before 1.2.9 allows remote attackers to bypass authentication via a
  null password.

CVE-2012-1122 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1122):
  bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the
  report_bug_threshold permission of the receiving project when moving a bug
  report, which allows remote authenticated users with the
  report_bug_threshold and move_bug_threshold privileges for a project to
  bypass intended access restrictions and move bug reports to a different
  project.

CVE-2012-1121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1121):
  MantisBT before 1.2.9 does not properly check permissions, which allows
  remote authenticated users with manager privileges to (1) modify or (2)
  delete global categories.

CVE-2012-1120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1120):
  The SOAP API in MantisBT before 1.2.9 does not properly enforce the
  bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which
  allows remote authenticated users with read and write SOAP API privileges to
  delete arbitrary bug reports and bug notes.

CVE-2012-1119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1119):
  MantisBT before 1.2.9 does not audit when users copy or clone a bug report,
  which makes it easier for remote attackers to copy bug reports without
  detection.

CVE-2012-1118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1118):
  The access_has_bug_level function in core/access_api.php in MantisBT before
  1.2.9 does not properly restrict access when the private_bug_view_threshold
  is set to an array, which allows remote attackers to bypass intended
  restrictions and perform certain operations on private bug reports.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-11-08 10:42:59 UTC
This issue was resolved and addressed in
 GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).