oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings

From: cve-assign () mitre org
Date: Sun, 3 Jan 2016 12:03:46 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


This was the case with the MantisBT master cryptographic salt
(crypto_master_salt): it was incorrectly spelt.

Affected versions:
 >= 1.3.0-beta.1

Fixed in versions:
1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need
another release candidate before that.




http://sourceforge.net/p/mantisbt/mailman/message/32948048/
2014-10-19
- case 'master_crypto_salt':
+ case 'crypto_master_salt':


In general, a vendor can choose to request a CVE ID for a
vulnerability in beta software. This is unusual and (in cases of many
other products) often not a good idea, but there is no absolute
restriction on having a CVE ID. In this case, the 1.3 development code
in question was apparently noted in 2014.

Use CVE-2014-9759 for the vulnerability caused by the
master_crypto_salt spelling.

There is no CVE ID for the general issue of "Implement a white list of
options ... This is a safer approach than the previous blacklist
method," which seems to be a pre-release design change, not
specifically a vulnerability fix on its own.


Further details available in our issue tracker [3]
[3] https://mantisbt.org/bugs/view.php?id=20277


It currently gives an "Access Denied." error.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWiVOFAAoJEL54rhJi8gl58iIQALSkEnUs34DR9JM6DQUfTTS6
VePVAgUo25rpfQkqL7HpsuWEo/L4nYw7E9PCI7P0yHMmOH5O1uY1cucA5PEsukXK
FaPjLZU0GHtbSAG1ioaincMVJ8W+YidMJyUNGrxLRnL3W+bjE63HZLNNiswSuUFK
NTKrzOZtSHRDVRKbdvak3pVvKQ5MXPwM6BRYVZBK5UetaOkKLkQJMH3RjGkyl9AM
yhtIF3XEKNXrIoVtLRka9/OabS1FG9ULE6oL8jqA2S8jL0D0ABo8QOYC2rH3wR3Z
8CaJig5h8ximZIvA0Cg5xSiIQMhk3En7W3QSB1kyAAkrviz0H2f1XJenyifXMkM6
IfXw0d5k9KSglJxpxd/VYBmZhz7rCWwa/0f5vnSpL278u6Sxccfh36EdBmoASs4X
BAjdaEkGZJpoa+KGFKx7lGfSHMMvVGdM8j0ybaDEzruSL/0C8w4OZZxmE4Abbbu7
3Nt1Pmq7YDVWNA6RxXwxp8C32hpxMLhNjNYzsgEZ8lBB2Og3vjSydY2FAav0Zsb+
buyYkSqPqlnUJTMW0nYWnhXRfSOq0H1ndsdpAiSIvRKM28sDjIJnRyIe6QhN+h/u
bF4wu44H2pOqtT69k6wJ7kW/CznpxBdwGcC+jKZKAQT9dXszQdaBrCv5kOGpDRK1
v0DW5xesLDZMu/sbqrLk
=r4cR
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: