oss-sec mailing list archives
Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings
From: cve-assign () mitre org
Date: Sun, 3 Jan 2016 12:03:46 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This was the case with the MantisBT master cryptographic salt (crypto_master_salt): it was incorrectly spelt. Affected versions: >= 1.3.0-beta.1 Fixed in versions: 1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need another release candidate before that.
http://sourceforge.net/p/mantisbt/mailman/message/32948048/ 2014-10-19 - case 'master_crypto_salt': + case 'crypto_master_salt':
In general, a vendor can choose to request a CVE ID for a vulnerability in beta software. This is unusual and (in cases of many other products) often not a good idea, but there is no absolute restriction on having a CVE ID. In this case, the 1.3 development code in question was apparently noted in 2014. Use CVE-2014-9759 for the vulnerability caused by the master_crypto_salt spelling. There is no CVE ID for the general issue of "Implement a white list of options ... This is a safer approach than the previous blacklist method," which seems to be a pre-release design change, not specifically a vulnerability fix on its own.
Further details available in our issue tracker [3] [3] https://mantisbt.org/bugs/view.php?id=20277
It currently gives an "Access Denied." error. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWiVOFAAoJEL54rhJi8gl58iIQALSkEnUs34DR9JM6DQUfTTS6 VePVAgUo25rpfQkqL7HpsuWEo/L4nYw7E9PCI7P0yHMmOH5O1uY1cucA5PEsukXK FaPjLZU0GHtbSAG1ioaincMVJ8W+YidMJyUNGrxLRnL3W+bjE63HZLNNiswSuUFK NTKrzOZtSHRDVRKbdvak3pVvKQ5MXPwM6BRYVZBK5UetaOkKLkQJMH3RjGkyl9AM yhtIF3XEKNXrIoVtLRka9/OabS1FG9ULE6oL8jqA2S8jL0D0ABo8QOYC2rH3wR3Z 8CaJig5h8ximZIvA0Cg5xSiIQMhk3En7W3QSB1kyAAkrviz0H2f1XJenyifXMkM6 IfXw0d5k9KSglJxpxd/VYBmZhz7rCWwa/0f5vnSpL278u6Sxccfh36EdBmoASs4X BAjdaEkGZJpoa+KGFKx7lGfSHMMvVGdM8j0ybaDEzruSL/0C8w4OZZxmE4Abbbu7 3Nt1Pmq7YDVWNA6RxXwxp8C32hpxMLhNjNYzsgEZ8lBB2Og3vjSydY2FAav0Zsb+ buyYkSqPqlnUJTMW0nYWnhXRfSOq0H1ndsdpAiSIvRKM28sDjIJnRyIe6QhN+h/u bF4wu44H2pOqtT69k6wJ7kW/CznpxBdwGcC+jKZKAQT9dXszQdaBrCv5kOGpDRK1 v0DW5xesLDZMu/sbqrLk =r4cR -----END PGP SIGNATURE-----
Current thread:
- CVE Request: MantisBT SOAP API can be used to disclose confidential settings Damien Regad (Jan 02)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings cve-assign (Jan 03)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings Damien Regad (Jan 04)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings cve-assign (Jan 03)