Executive Summary
| Summary | |
|---|---|
| Title | New moin packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-2014 | First vendor Publication | 2010-03-12 |
| Vendor | Debian | Last vendor Modification | 2010-03-12 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities have been discovered in moin, a python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0668 Multiple security issues in MoinMoin related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured. CVE-2010-0669 MoinMoin does not properly sanitize user profiles. CVE-2010-0717 The default configuration of cfg.packagepages_actions_excluded in MoinMoin does not prevent unsafe package actions. In addition, this update fixes an error when processing hierarchical ACLs, which can be exploited to access restricted sub-pages. For the stable distribution (lenny), these problems have been fixed in version 1.7.1-3+lenny3. For the unstable distribution (sid), these problems have been fixed in version 1.9.2-1, and will migrate to the testing distribution (squeeze) shortly. We recommend that you upgrade your moin package. |
Original Source
| Url : http://www.debian.org/security/2010/dsa-2014 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-264 | Permissions, Privileges, and Access Controls |
| 50 % | CWE-16 | Configuration |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13462 | |||
| Oval ID: | oval:org.mitre.oval:def:13462 | ||
| Title: | USN-941-1 -- moin vulnerability | ||
| Description: | It was discovered that MoinMoin incorrectly handled hierarchical access control lists. Users could bypass intended access controls under certain circumstances. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-941-1 CVE-2009-4762 | Version: | 5 |
| Platform(s): | Ubuntu 9.04 | Product(s): | moin |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:13549 | |||
| Oval ID: | oval:org.mitre.oval:def:13549 | ||
| Title: | USN-911-1 -- moin vulnerabilities | ||
| Description: | It was discovered that several wiki actions and preference settings in MoinMoin were not protected from cross-site request forgery . If an authenticated user were tricked into visiting a malicious website while logged into MoinMoin, a remote attacker could change the user�s configuration or wiki content. It was discovered that MoinMoin did not properly sanitize its input when processing user preferences. An attacker could enter malicious content which when viewed by a user, could render in unexpected ways | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-911-1 CVE-2010-0668 CVE-2010-0717 CVE-2010-0669 | Version: | 5 |
| Platform(s): | Ubuntu 8.04 Ubuntu 8.10 Ubuntu 9.10 Ubuntu 6.06 Ubuntu 9.04 | Product(s): | moin |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:18433 | |||
| Oval ID: | oval:org.mitre.oval:def:18433 | ||
| Title: | DSA-2014-1 moin - several vulnerabilities | ||
| Description: | Several vulnerabilities have been discovered in moin, a python clone of WikiWiki. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2014-1 CVE-2010-0668 CVE-2010-0669 CVE-2010-0717 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | moin |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:7566 | |||
| Oval ID: | oval:org.mitre.oval:def:7566 | ||
| Title: | DSA-2014 moin -- several vulnerabilities | ||
| Description: | Several vulnerabilities have been discovered in moin, a python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple security issues in MoinMoin related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured. MoinMoin does not properly sanitise user profiles. The default configuration of cfg.packagepages_actions_excluded in MoinMoin does not prevent unsafe package actions. In addition, this update fixes an error when processing hierarchical ACLs, which can be exploited to access restricted sub-pages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2014 CVE-2010-0668 CVE-2010-0669 CVE-2010-0717 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | moin |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-10-22 | Name : Gentoo Security Advisory GLSA 201210-02 (MoinMoin) File : nvt/glsa_201210_02.nasl |
| 2010-05-28 | Name : Ubuntu Update for moin vulnerability USN-941-1 File : nvt/gb_ubuntu_USN_941_1.nasl |
| 2010-04-01 | Name : MoinMoin Wiki Security Bypass Vulnerability File : nvt/secpod_moinmoin_wiki_acl_sec_bypass_vuln.nasl |
| 2010-03-12 | Name : Ubuntu Update for moin vulnerabilities USN-911-1 File : nvt/gb_ubuntu_USN_911_1.nasl |
| 2010-03-05 | Name : MoinMoin Wiki 'cfg' Package Configuration Unspecified Vulnerability File : nvt/gb_moinmoin_wiki_cfg_pkg_unspecified_vuln.nasl |
| 2010-03-05 | Name : MoinMoin Wiki Superuser Lists Unspecified Vulnerability File : nvt/gb_moinmoin_wiki_su_list_unspecified_vuln.nasl |
| 2010-03-05 | Name : MoinMoin Wiki User Profile Unspecified Vulnerability File : nvt/gb_moinmoin_wiki_user_prof_unspecified_vuln.nasl |
| 2010-03-02 | Name : Fedora Update for moin FEDORA-2010-1712 File : nvt/gb_fedora_2010_1712_moin_fc12.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 62655 | MoinMoin User Profile Sanitization Weakness |
| 62654 | MoinMoin cfg.packagepages_actions_excluded Default Configuration Unspecified ... |
| 62043 | MoinMoin Superuser Definition Unspecified Issue |
| 54967 | MoinMoin Hierarchical ACL Handling Weakness Sub-pages Restriction Bypass |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2012-10-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201210-02.nasl - Type : ACT_GATHER_INFO |
| 2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1712.nasl - Type : ACT_GATHER_INFO |
| 2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1743.nasl - Type : ACT_GATHER_INFO |
| 2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3263.nasl - Type : ACT_GATHER_INFO |
| 2010-05-21 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-941-1.nasl - Type : ACT_GATHER_INFO |
| 2010-03-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2014.nasl - Type : ACT_GATHER_INFO |
| 2010-03-12 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-911-1.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:18 |
|
