The upcoming 1.2.18 release of MantisBT will fix the following issue: "" Due to an incorrect access check, by guessing the download URL correctly, unprivileged users can download files from a private project with restricted access to attachments, i.e. where $g_download_attachments_threshold / $g_view_attachments_threshold are set e.g. to 55 (developer), if another project to which they have access does not restrict attachments download. "" This issue affects versions 1.2.17 and older. References: http://seclists.org/oss-sec/2014/q4/623 http://github.com/mantisbt/mantisbt/commit/5f0b150b
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1164632] Affects: epel-5 [bug 1164633]
MITRE assigned CVE-2014-8988 to this issue: http://seclists.org/oss-sec/2014/q4/693
mantis-1.2.18-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.18-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.18-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.