Red Hat Bugzilla – Bug 828512
CVE-2011-5092 rt3: remote arbitrary code execution and privilege elevation flaw
Last modified: 2015-08-24 11:55:38 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5092 to
the following vulnerability:
Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6
allows remote attackers to execute arbitrary code and gain privileges
via unspecified vectors, a different vulnerability than CVE-2011-4458
Current Fedora has 3.8.12 (3.8.13 in testing), however EPEL6 currently provides 3.8.10 and requires an update. It's not specified as to whether 3.6.x is affected (which is what is shipped in EPEL5).
Created rt3 tracking bugs for this issue
Affects: epel-6 [bug 828517]
rt3-3.8.13-1.el6.2 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Vincent Danen from comment #0)
> It's not specified as to whether 3.6.x is affected (which is what is
> shipped in EPEL5).
This CVE is not mentioned in upstream announcements at all, andis apparently a split off from CVE-2011-4458 mentioned by upstream:
RT versions 3.6.1 and above are vulnerable to a remote execution of code
vulnerability if the optional VERP configuration options ($VERPPrefix
and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a
limited remote execution of code which can be leveraged for privilege
escalation. RT 4.0.0 and above contain a vulnerability in the global
$DisallowExecuteCode option, allowing sufficiently privileged users to
still execute code even if RT was configured to not allow it.
CVE-2011-4458 is assigned to this set of vulnerabilities.
As CVE-2011-4458 was used for 3 separate issues, each affecting different versions, it got split by Mitre as:
- CVE-2011-4458 for the VERP issue, affecting 3.6.1+
- CVE-2011-5092 for the limited code execution issue in 3.8.0+
- CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+
Hence this CVE-2011-5092 should not apply to 3.6.x in EPEL-5, but the CVE-2011-4458 (bug 824082) should, and remains unfixed.