Bug 219937

Summary: CVE-2006-6574: mantis < 1.1.0a2 information disclosure
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: mantisAssignee: Gianluca Sforna <giallu>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: extras-qa, fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.0.6-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-12 23:11:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2006-12-17 09:25:11 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6574

"Mantis before 1.1.0a2 does not implement per-item access control for Issue
History (Bug History), which allows remote attackers to obtain sensitive
information by reading the Change column, as demonstrated by the Change column
of a custom field."

All FE releases are possibly affected.
Comment 1 Gianluca Sforna 2007-01-09 11:38:05 UTC 
mantis references:

http://www.mantisbt.org/bugs/view.php?id=7364
http://www.mantisbt.org/bugs/view.php?id=3375

both fixed in CVS
Comment 2 Gianluca Sforna 2007-01-12 23:11:20 UTC 
Patched packages are now published in all branches (FC5, FC6 and devel)