CVE-2015-1464 - OpenCVE

RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Bestpractical	Request Tracker
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:o:fedoraproject:fedora:21:::::::*
	cpe:2.3:o:fedoraproject:fedora:22:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:bestpractical:request_tracker::::::::
	cpe:2.3:a:bestpractical:request_tracker:4.2.0:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.1:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.2:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.3:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.4:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.5:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.6:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.7:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.8:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.9:::::::*

References

Link	Resource
http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html	Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html
http://www.debian.org/security/2015/dsa-3176

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-03-09T14:00:00

Updated: 2015-04-08T17:57:00

Reserved: 2015-02-03T00:00:00

Link: CVE-2015-1464

JSON object: View

NVD Information

Status : Analyzed

Published: 2015-03-09T14:59:06.450

Modified: 2015-10-28T02:15:51.970

Link: CVE-2015-1464

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-02-26T00:00:00", "descriptions": [{"lang": "en", "value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-08T17:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"name": "DSA-3176", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3176"}, {"name": "FEDORA-2015-4698", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"name": "FEDORA-2015-4666", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-1464", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html", "refsource": "CONFIRM", "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"name": "DSA-3176", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3176"}, {"name": "FEDORA-2015-4698", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"name": "FEDORA-2015-4666", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-1464", "datePublished": "2015-03-09T14:00:00", "dateReserved": "2015-02-03T00:00:00", "dateUpdated": "2015-04-08T17:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*", "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FDDD86F-98D0-49D7-8467-AAF9842F771D", "versionEndIncluding": "4.0.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "016A9A48-9F12-4842-862F-4A192DA0D924", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "0D148F2A-F6B1-432A-9743-35BC43E86B40", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "2445145B-A162-484D-ABDF-053C20FD7E96", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "15EE6E16-375A-42B0-AE3C-E1FB95E9F466", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "83BF8033-9E4D-4B8B-B9E4-E992FE848F4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "6C68D322-E453-48D5-A5FB-39C744D90858", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "3881CA9B-5358-4808-9041-DE3E2FC8927F", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "A95CE3FD-5311-4644-8417-A74FF6B88458", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "E1DD1F04-3D0E-4210-8039-073B28ECCD85", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "26235782-E3A1-4D71-9E82-87DAC822D79D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."}, {"lang": "es", "value": "RT (tambi\u00e9n conocido como Request Tracker) anterior a 4.0.23 y 4.2.x anterior a 4.2.10 permite a atacantes remotos secuestrar sesiones a trav\u00e9s de una URL de alimentaci\u00f3n RSS."}], "id": "CVE-2015-1464", "lastModified": "2015-10-28T02:15:51.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-09T14:59:06.450", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3176"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}