oss-sec mailing list archives
Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings
From: Damien Regad <dregad () mantisbt org>
Date: Mon, 4 Jan 2016 16:47:57 +0100
On 2016-01-03 18:03, cve-assign () mitre org wrote:
In general, a vendor can choose to request a CVE ID for a vulnerability in beta software. This is unusual and (in cases of many other products) often not a good idea, but there is no absolute restriction on having a CVE ID.
The reason for requesting a CVE for a beta release is that this code has been out there and used "in production" for several years, despite being "beta" (change was committed [1] in Feb 2010).
Use CVE-2014-9759 for the vulnerability caused by the master_crypto_salt spelling.
Thank you.
There is no CVE ID for the general issue of "Implement a white list of options .
None was needed. The issue, as you correctly interpreted, is the disclosure of the crypto salt.
Further details available in our issue tracker [3] [3] https://mantisbt.org/bugs/view.php?id=20277It currently gives an "Access Denied." error.
Apologies, I forgot to make the issue public after releasing the patch. It is available now.
[1] https://github.com/mantisbt/mantisbt/commit/eb5623605
Current thread:
- CVE Request: MantisBT SOAP API can be used to disclose confidential settings Damien Regad (Jan 02)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings cve-assign (Jan 03)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings Damien Regad (Jan 04)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings cve-assign (Jan 03)