Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title MoinMoin vulnerabilities
Informations
Name USN-1604-1 First vendor Publication 2012-10-11
Vendor Ubuntu Last vendor Modification 2012-10-11
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Cvss Base Score 6 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in MoinMoin.

Software Description: - moin: Collaborative hypertext environment

Details:

It was discovered that MoinMoin did not properly sanitize certain input, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2011-1058)

It was discovered that MoinMoin incorrectly handled group names that contain virtual group names such as "All", "Known" or "Trusted". This could result in a remote user having incorrect permissions. (CVE-2012-4404)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 LTS:
python-moinmoin 1.9.3-1ubuntu2.1

Ubuntu 11.10:
python-moinmoin 1.9.3-1ubuntu1.11.10.1

Ubuntu 11.04:
python-moinmoin 1.9.3-1ubuntu1.11.04.1

Ubuntu 10.04 LTS:
python-moinmoin 1.9.2-2ubuntu3.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1604-1
CVE-2011-1058, CVE-2012-4404

Package Information:
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu2.1
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu1.11.10.1
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu1.11.04.1
https://launchpad.net/ubuntu/+source/moin/1.9.2-2ubuntu3.2

Original Source

Url : http://www.ubuntu.com/usn/USN-1604-1

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-264 Permissions, Privileges, and Access Controls
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15278
 
Oval ID: oval:org.mitre.oval:def:15278
Title: DSA-2321-1 moin -- cross-site scripting
Description: A cross-site scriping vulnerability was discovered in the rst parser of Moin, a Python clone of WikiWiki.
Family: unix Class: patch
Reference(s): DSA-2321-1
CVE-2011-1058
 Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): moin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17640
 
Oval ID: oval:org.mitre.oval:def:17640
Title: USN-1604-1 -- moin vulnerabilities
Description: Several security issues were fixed in MoinMoin.
Family: unix Class: patch
Reference(s): USN-1604-1
CVE-2011-1058
CVE-2012-4404
 Version: 7
Platform(s): Ubuntu 12.04
Ubuntu 11.10
Ubuntu 11.04
Ubuntu 10.04
 Product(s): moin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17914
 
Oval ID: oval:org.mitre.oval:def:17914
Title: DSA-2538-1 moin - privilege escalation
Description: It was discovered that Moin, a Python clone of WikiWiki, incorrectly evaluates ACLs when virtual groups are involved. This may allow certain users to have additional permissions (privilege escalation) or lack expected permissions.
Family: unix Class: patch
Reference(s): DSA-2538-1
CVE-2012-4404
 Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): moin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 79

OpenVAS Exploits

Date Description
2012-10-22 Name : Gentoo Security Advisory GLSA 201210-02 (MoinMoin)
File : nvt/glsa_201210_02.nasl
2012-10-12 Name : Ubuntu Update for moin USN-1604-1
File : nvt/gb_ubuntu_USN_1604_1.nasl
2012-09-22 Name : Fedora Update for moin FEDORA-2012-13400
File : nvt/gb_fedora_2012_13400_moin_fc16.nasl
2012-09-22 Name : Fedora Update for moin FEDORA-2012-13408
File : nvt/gb_fedora_2012_13408_moin_fc17.nasl
2012-09-15 Name : Debian Security Advisory DSA 2538-1 (moin)
File : nvt/deb_2538_1.nasl
2012-09-07 Name : FreeBSD Ports: moinmoin
File : nvt/freebsd_moinmoin7.nasl
2012-09-07 Name : FreeBSD Ports: moinmoin
File : nvt/freebsd_moinmoin8.nasl
2011-10-16 Name : Debian Security Advisory DSA 2321-1 (moin)
File : nvt/deb_2321_1.nasl
2011-03-08 Name : Fedora Update for moin FEDORA-2011-2156
File : nvt/gb_fedora_2011_2156_moin_fc14.nasl
2011-03-08 Name : Fedora Update for moin FEDORA-2011-2157
File : nvt/gb_fedora_2011_2157_moin_fc13.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
71025 MoinMoin reStructuredText Parser refuri Parameter XSS

MoinMoin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the input passed via the 'refuri' node attribute upon submission to the reStructuredText parser in 'parser/text_rst.py'. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Nessus® Vulnerability Scanner

Date Description
2012-10-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201210-02.nasl - Type : ACT_GATHER_INFO
2012-10-12 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1604-1.nasl - Type : ACT_GATHER_INFO
2012-09-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-13400.nasl - Type : ACT_GATHER_INFO
2012-09-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-13408.nasl - Type : ACT_GATHER_INFO
2012-09-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-13528.nasl - Type : ACT_GATHER_INFO
2012-09-06 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2538.nasl - Type : ACT_GATHER_INFO
2012-09-05 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_4a8a98abf74511e18bd80022156e8794.nasl - Type : ACT_GATHER_INFO
2012-09-05 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_4f99e2eff72511e18bd80022156e8794.nasl - Type : ACT_GATHER_INFO
2011-10-11 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2321.nasl - Type : ACT_GATHER_INFO
2011-03-07 Name : The remote Fedora host is missing a security update.
File : fedora_2011-2156.nasl - Type : ACT_GATHER_INFO
2011-03-07 Name : The remote Fedora host is missing a security update.
File : fedora_2011-2157.nasl - Type : ACT_GATHER_INFO
2011-03-03 Name : The remote Fedora host is missing a security update.
File : fedora_2011-2219.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:00:56
  • Multiple Updates