Executive Summary
| Summary | |
|---|---|
| Title | New roundup packages fix privilege escalation |
| Informations | |||
|---|---|---|---|
| Name | DSA-1754 | First vendor Publication | 2009-04-09 |
| Vendor | Debian | Last vendor Modification | 2009-04-09 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:S/C:N/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5.5 | Attack Range | Network |
| Cvss Impact Score | 4.9 | Attack Complexity | Low |
| Cvss Expoit Score | 8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that roundup, an issue tracker with a command-line, web and email interface, allows users to edit resources in unauthorized ways, including granting themselves admin rights. This update introduces stricter access checks, actually enforcing the configured permissions and roles. This means that the configuration may need updating. In addition, user registration via the web interface has been disabled; use the program "roundup-admin" from the command line instead. For the old stable distribution (etch), this problem has been fixed in version 1.2.1-10+etch1. For the stable distribution (lenny), this problem has been fixed in version 1.4.4-4+lenny1. We recommend that you upgrade your roundup package. |
Original Source
| Url : http://www.debian.org/security/2009/dsa-1754 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-04-15 | Name : Debian Security Advisory DSA 1754-1 (roundup) File : nvt/deb_1754_1.nasl |
| 2009-03-13 | Name : Fedora Core 10 FEDORA-2009-2583 (roundup) File : nvt/fcore_2009_2583.nasl |
| 2009-03-13 | Name : Fedora Core 9 FEDORA-2009-2591 (roundup) File : nvt/fcore_2009_2591.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 56368 | Roundup cgi/actions.py EditCSVAction Function Arbitrary Saved Query Manipulation |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2583.nasl - Type : ACT_GATHER_INFO |
| 2009-04-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1754.nasl - Type : ACT_GATHER_INFO |
| 2009-03-12 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2591.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:28:19 |
|
