oss-sec mailing list archives
CVE Request: information disclosure in MantisBT attachments
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 15 Nov 2014 18:53:41 +0100
Please assign a CVE ID for the following issue. Description: MantisBT issue attachments can be downloaded without permission.Due to an incorrect access check, by guessing the download URL correctly, unprivileged users can download files from a private project with restricted access to attachments, i.e. where $g_download_attachments_threshold / $g_view_attachments_threshold are set e.g. to 55 (developer), if another project to which they have access does not restrict attachments download.
Affected versions: <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit:Issue was discovered by Florian Fuchs and fixed by Paul Richards (former MantisBT developer)
References: Further details available in our issue tracker [2] D. Regad MantisBT Developer http://www.mantisbt.org [1] http://github.com/mantisbt/mantisbt/commit/5f0b150b [2] http://www.mantisbt.org/bugs/view.php?id=17742
Current thread:
- CVE Request: information disclosure in MantisBT attachments Damien Regad (Nov 15)
- Re: CVE Request: information disclosure in MantisBT attachments Damien Regad (Nov 19)
- Re: CVE Request: information disclosure in MantisBT attachments cve-assign (Nov 19)