oss-sec mailing list archives

Re: MantisBT - Full admin access vulnerability - CVE-2017-7615

From: Damien Regad <dregad () mantisbt org>
Date: Sun, 16 Apr 2017 19:06:07 +0200

A vulnerability exists in MantisBT where any users password can be reset:


This is registered as CVE-2017-7615. It was discovered and reported to
us by John Page aka hyp3rlinx from ApparitionSec
(http://hyp3rlinx.altervista.org).

We didn't post it here before, as due to the severity of the issue we
wanted to give the opportunity to our users to patch their systems
before full public disclosure, so we notified them via private e-mail.

Unfortunately someone decided to post it here (anonymously, too...) in
spite of our request to keep the embargo, so here's the rest of the story.

The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be
released shortly.

Until then, all MantisBT administrators are advised to patch their
system immediately. Fixes are availble from our GitHub repository:

- 2.3.x https://github.com/mantisbt/mantisbt/commit/cfbc5e54
- 2.2.x https://github.com/mantisbt/mantisbt/commit/46880ef6
- 1.3.x https://github.com/mantisbt/mantisbt/commit/14c61a8c

MantisBT issue tracker reference:
https://mantisbt.org/bugs/view.php?id=22690

Best regards
D. Regad
MantisBT developer

Current thread:

MantisBT - Full admin access vulnerability 7b4xrw+5q6jtt69cnwlw (Apr 16)
- Re: MantisBT - Full admin access vulnerability - CVE-2017-7615 Damien Regad (Apr 16)