Bug 696795 (CVE-2011-1685, CVE-2011-1686, CVE-2011-1687, CVE-2011-1688, CVE-2011-1689, CVE-2011-1690) - CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-2011-1690 rt3: several security flaws fixed in 3.6.11, 3.8.10
Summary: CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-201...
Keywords:
Status: NEW
Alias: CVE-2011-1685, CVE-2011-1686, CVE-2011-1687, CVE-2011-1688, CVE-2011-1689, CVE-2011-1690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-14 20:33 UTC by Vincent Danen
Modified: 2019-09-29 12:44 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Vincent Danen 2011-04-14 20:33:11 UTC
Several flaws have been reported [1] and corrected in RT versions 3.6.11 and 3.8.10, including:

RT versions 3.8.0 and above with the "external custom field" feature enabled and configured are vulnerable to a remote code execution vulnerability.  An authenticated user (either privileged orunprivileged) can use this vulnerability to execute arbitrary code with the permissions of the webserver; they may also be tricked into doing so via cross-site request forgery (CSRF). (CVE-2011-1685)

RT versions 2.0.0 and above are vulnerable to multiple SQL injection attacks.  We do not believe these attacks to be capable of directly inserting, altering or removing data from the database, but an authenticated user (either privileged or unprivileged) could use them to retrieve unauthorized ticket data. (CVE-2011-1686)

RT versions 3.0.0 and higher are vulnerable to an information leak wherein an authenticated privileged user could gain sensitive information, such as encrypted passwords, via the search interface. (CVE-2011-1687)

RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited degree, are vulnerable to a malicious attacker tricking the user into sending their authentication credentials to a third-party server. (CVE-2011-1690)

RT versions 3.2.0 and above are vulnerable to a directory traversal attack where an unauthenticated attacker can read any file which is readable by the webserver.  While some servers (Apache, nginx) have safeguards which mitigate this attack, preventing such traversals from accessing files outside of RT's document root, many others (including the standalone server provided with RT, plackup, starman, twiggy, and lighttpd) are vulnerable to this exploit. (CVE-2011-1688)

RT versions 2.0.0 and above are vulnerable to javascript cross-site-scripting vulnerabilities, which allow an attacker to run javascript with the user's credentials. (CVE-2011-1689)

Upstream have released a patchset [2] as well for 3.6.10 and 3.8 releases, in addition to the new releases.

[1] http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html
[2] http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz

Comment 1 Fedora Update System 2011-10-27 19:05:48 UTC
rt3-3.8.10-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.