219937 – CVE-2006-6574: mantis < 1.1.0a2 information disclosure

Bug 219937 - CVE-2006-6574: mantis < 1.1.0a2 information disclosure

Summary: CVE-2006-6574: mantis < 1.1.0a2 information disclosure

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mantis
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Gianluca Sforna
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-12-17 09:25 UTC by Ville Skyttä
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	1.0.6-2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-01-12 23:11:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ville Skyttä 2006-12-17 09:25:11 UTC

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6574

"Mantis before 1.1.0a2 does not implement per-item access control for Issue
History (Bug History), which allows remote attackers to obtain sensitive
information by reading the Change column, as demonstrated by the Change column
of a custom field."

All FE releases are possibly affected.

Comment 1 Gianluca Sforna 2007-01-09 11:38:05 UTC

mantis references:

http://www.mantisbt.org/bugs/view.php?id=7364
http://www.mantisbt.org/bugs/view.php?id=3375

both fixed in CVS

Comment 2 Gianluca Sforna 2007-01-12 23:11:20 UTC

Patched packages are now published in all branches (FC5, FC6 and devel)

Note You need to log in before you can comment on or make changes to this bug.