Re: CVE request: CAPTCHA bypass in MantisBT

[cve-assign () mitre org]

On Sat, 17 Jan 2015, Damien Regad wrote:

> Greetings,
>
> Please assign a CVE ID for the following issue
>
>
> Description:
>
> An attacker can get an unlimited amount of CAPTCHA "samples" with different 
> perturbations for the same challenge, which makes the whole captcha utterly 
> useless and very easy to bypass.
>
>
> Affected versions:
> <= 1.2.19
>
> Fixed in versions:
> 1.2.19 (not yet released)
>
> Patch:
> See Github [1]
>
> Credit:
> This vulnerability was reported [2] by Florent Daigniere from Matta 
> Consulting.
> The issue was fixed by Damien Regad (MantisBT Developer).
>
> References:
> Further details available in our issue tracker [2]
>
> [1] https://github.com/mantisbt/mantisbt/commit/39a92726
> [2] https://www.mantisbt.org/bugs/view.php?id=17984

Use CVE-2014-9624.  (Although 17984 apparently was not publicly accessible 
until 2015, the 39a92726 commit appears to have been uploaded to GitHub on 
December 29, 2014, and it clearly describes a security issue.  Therefore a 
2014 ID is used.)

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]