Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 503152 (CVE-2014-2238) - www-apps/mantisbt: SQL injection (CVE-2014-2238)
Summary: www-apps/mantisbt: SQL injection (CVE-2014-2238)
Alias: CVE-2014-2238
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [ebuild blocked]
Depends on: CVE-2014-6316
  Show dependency tree
Reported: 2014-03-01 20:48 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-01 20:48:05 UTC
From ${URL} :

Jakub Galczyk (HauntIT blog discovered an 
SQL injection vulnerability issue affecting MantisBT >= 1.2.13.

admin_config_report.php relied on unsanitized, inlined query parameters, 
enabling a malicious user to perform an SQL injection attack.

The criticality of this issue is compounded by the fact that typically a 
high-privilege account (i.e. having an access level >= 
$g_view_configuration_threshold, which is set to ADMINISTRATOR by 
default) is required to access this page.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-03-16 12:43:24 UTC
Fixed in Version 1.2.17

Maintainers, please advise when eBuild is ready for stabilization.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 20:51:14 UTC
CVE-2014-2238 (
  SQL injection vulnerability in the manage configuration page
  (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote
  authenticated administrators to execute arbitrary SQL commands via the
  filter_config_id parameter.
Comment 3 Richard H. 2014-08-12 10:23:20 UTC
I am using 1.2.17 for ages now - it is needed for some plugins to work which I am using. So I don't know why this isn't stabilized yet.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 05:21:09 UTC
Version 1.2.17 Released from upstream (Released 2014-03-03), Which is a year ago.

Maintainers, can we please create an ebuild so we can remove vulnerability.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 06:13:03 UTC
Setting dependency latest version:  1.2.19 which is the latest version.
Released 2015-01-24
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-07 08:26:40 UTC
Multiple vulnerabilities spread across 9 different bugs.  No movement from maintainers in over a year.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-04-01 03:44:46 UTC
Package removed