7.5 - DSA-2500

Executive Summary

Summary
Title	mantis security update

Informations
Name	DSA-2500	First vendor Publication	2012-06-24
Vendor	Debian	Last vendor Modification	2012-06-24
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities were discovered in Mantis, am issue tracking system.

CVE-2012-1118 Mantis installation in which the private_bug_view_threshold configuration option has been set to an array value do not properly enforce bug viewing restrictions.

CVE-2012-1119 Copy/clone bug report actions fail to leave an audit trail.

CVE-2012-1120 The delete_bug_threshold/bugnote_allow_user_edit_delete access check can be bypassed by users who have write access to the SOAP API.

CVE-2012-1122 Mantis performed access checks incorrectly when moving bugs between projects.

CVE-2012-1123 A SOAP client sending a null password field can authenticate as the Mantis administrator.

CVE-2012-2692 Mantis does not check the delete_attachments_threshold permission when a user attempts to delete an attachment from an issue.

For the stable distribution (squeeze), these problems have been fixed in version 1.1.8+dfsg-10squeeze2.

For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.2.11-1.

We recommend that you upgrade your mantis packages.

Original Source

Url : http://www.debian.org/security/2012/dsa-2500

CWE : Common Weakness Enumeration

%	Id	Name
83 %	CWE-264	Permissions, Privileges, and Access Controls
17 %	CWE-287	Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19825

Oval ID:	oval:org.mitre.oval:def:19825
Title:	DSA-2500-1 mantis - several
Description:	Several vulnerabilities were discovered in Mantis, an issue tracking system.
Family:	unix	Class:	patch
Reference(s):	DSA-2500-1 CVE-2012-1118 CVE-2012-1119 CVE-2012-1120 CVE-2012-1122 CVE-2012-1123 CVE-2012-2692	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	mantis
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND mantis DPKG is earlier than 0:1.1.8+dfsg-10squeeze2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Mantisbt cpe:2.3:a:mantisbt:mantisbt:1.2.9:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.8:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.7:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.6:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.5:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.4:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.3:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.2:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.10:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.1:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.0a2:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.0a1:::::::* cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha2:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:-:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:rc2:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha1:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha3:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:rc1:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.9:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.8:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.7:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.6:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.5:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.4:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.3:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.2:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.1:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.0:rc3:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.0:a4:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.0:rc2:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.0:a3:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.0:a1:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.0:a2:::::: cpe:2.3:a:mantisbt:mantisbt:1.1.0:::::::* cpe:2.3:a:mantisbt:mantisbt:1.1.0:rc1:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.9:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.8:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.7:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.6:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.5:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.4:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.3:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.2:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.1:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.0a3:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.0a2:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.0a1:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.0:a2:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:a3:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:a1:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:::::::* cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc2:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc1:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc3:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc5:::::: cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc4:::::: cpe:2.3:a:mantisbt:mantisbt:0.19.5:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.4:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.3:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.2:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.1:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.0a2:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.0a1:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.0:a2:::::: cpe:2.3:a:mantisbt:mantisbt:0.19.0:::::::* cpe:2.3:a:mantisbt:mantisbt:0.19.0:rc1:::::: cpe:2.3:a:mantisbt:mantisbt:0.19.0:a1:::::: cpe:2.3:a:mantisbt:mantisbt:0.18.0:::::::* cpe:2.3:a:mantisbt:mantisbt::::::::	69

OpenVAS Exploits

Date	Description
2012-11-26	Name : Fedora Update for mantis FEDORA-2012-18294 File : nvt/gb_fedora_2012_18294_mantis_fc17.nasl
2012-11-26	Name : Fedora Update for mantis FEDORA-2012-18299 File : nvt/gb_fedora_2012_18299_mantis_fc16.nasl
2012-11-16	Name : Gentoo Security Advisory GLSA 201211-01 (MantisBT) File : nvt/glsa_201211_01.nasl
2012-08-10	Name : Debian Security Advisory DSA 2500-1 (mantis) File : nvt/deb_2500_1.nasl
2012-08-10	Name : FreeBSD Ports: mantis File : nvt/freebsd_mantis6.nasl

Nessus® Vulnerability Scanner

Date	Description
2012-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2012-18273.nasl - Type : ACT_GATHER_INFO
2012-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2012-18294.nasl - Type : ACT_GATHER_INFO
2012-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2012-18299.nasl - Type : ACT_GATHER_INFO
2012-11-09	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201211-01.nasl - Type : ACT_GATHER_INFO
2012-06-29	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2500.nasl - Type : ACT_GATHER_INFO
2012-06-13	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_55587adbb49d11e18df10004aca374af.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:31:11	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	6
Oval ID(s)	1
CPE ID(s)	69
Openvas Exploit(s)	5
Nessus® Exploit(s)	6

	Related
7.5	CVE-2012-1123
6.4	CVE-2012-1119
4.3	CVE-2012-1118
3.6	CVE-2012-2692
3.6	CVE-2012-1122
3.6	CVE-2012-1120
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)

7.5 - DSA-2500

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU