Published: 03/07/2017 Updated: 03/10/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Request Tracker (RT) 4.x prior to 4.0.25, 4.2.x prior to 4.2.14, and 4.4.x prior to 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote malicious users to obtain sensitive user password information via a timing side-channel attack.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bestpractical request tracker 4.0.5
bestpractical request tracker 4.0.7
bestpractical request tracker 4.0.14
bestpractical request tracker 4.0.16
bestpractical request tracker 4.0.21
bestpractical request tracker 4.0.23
bestpractical request tracker 4.2.5
bestpractical request tracker 4.2.7
bestpractical request tracker 4.4.1
bestpractical request tracker 4.0.9
bestpractical request tracker 4.0.10
bestpractical request tracker 4.0.11
bestpractical request tracker 4.0.12
bestpractical request tracker 4.2.0
bestpractical request tracker 4.2.1
bestpractical request tracker 4.2.2
bestpractical request tracker 4.2.3
bestpractical request tracker 4.0.0
bestpractical request tracker 4.0.1
bestpractical request tracker 4.0.2
bestpractical request tracker 4.0.3
bestpractical request tracker 4.0.17
bestpractical request tracker 4.0.18
bestpractical request tracker 4.0.19
bestpractical request tracker 4.0.20
bestpractical request tracker 4.2.9
bestpractical request tracker 4.2.10
bestpractical request tracker 4.2.11
bestpractical request tracker 4.2.12
bestpractical request tracker 4.0.4
bestpractical request tracker 4.0.6
bestpractical request tracker 4.0.8
bestpractical request tracker 4.0.13
bestpractical request tracker 4.0.15
bestpractical request tracker 4.0.22
bestpractical request tracker 4.0.24
bestpractical request tracker 4.2.4
bestpractical request tracker 4.2.6
bestpractical request tracker 4.2.8
bestpractical request tracker 4.2.13
bestpractical request tracker 4.4.0

It was discovered that RT::Authen::ExternalAuth, an external authentication module for Request Tracker, is vulnerable to timing side-channel attacks for user passwords Only ExternalAuth in DBI (database) mode is vulnerable For the stable distribution (jessie), this problem has been fixed in version 025-1+deb8u1 We recommend that you upgrade you ...

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-6127 It was discovered that Request Tracker is vulnerable to a cross-site scripting (XSS) attack if an attacker uploads a malicious file ...

NVD-CWE-noinfo https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016 http://www.debian.org/security/2017/dsa-3883 http://www.debian.org/security/2017/dsa-3882 https://nvd.nist.gov https://www.debian.org/security/./dsa-3883

CVE-2017-5361

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect