FS#42683 - [mantisbt] CVE-2014-8554: SQL injection vulnerability
Attached to Project:
Community Packages
Opened by Levente Polyak (anthraxx) - Tuesday, 04 November 2014, 22:02 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 05 November 2014, 15:36 GMT
Opened by Levente Polyak (anthraxx) - Tuesday, 04 November 2014, 22:02 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 05 November 2014, 15:36 GMT
|
Details
Summary:
It has been reported [0] that mantisbt 1.2.17 is vulnerable to a SQL injection vulnerability tracked as CVE-2014-8554 [1]. Description: When the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorised, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible. Mitigation: The problem has been fixed upstream [2] but no release is available yet. Vendor will release a new version in the following days, but as this issue is critical and the patch [2] is very simple its highly recommend to apply the patch [2] as long as no release is available. [0] http://seclists.org/oss-sec/2014/q4/478 [1] https://access.redhat.com/security/cve/CVE-2014-8554 [2] https://github.com/mantisbt/mantisbt/commit/99ffb0af |
This task depends upon
Closed by Maxime Gauduin (Alucryd)
Wednesday, 05 November 2014, 15:36 GMT
Reason for closing: Fixed
Additional comments about closing: 1.2.17-3
Wednesday, 05 November 2014, 15:36 GMT
Reason for closing: Fixed
Additional comments about closing: 1.2.17-3
Comment by
Maxime Gauduin (Alucryd) -
Wednesday, 05 November 2014, 15:35 GMT
Agreed, package updated, thx for reporting.