RT: Request Tracker < 3.8.17 / 4.0.13 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 6841
SynopsisThe remote host is running a web application that is vulnerable to several attack vectors.
DescriptionVersions of Request Tracker earlier than 3.8.17 and 4.0.13 are affected by the following vulnerabilities :
- The rt command line tool uses semi-predictable temporary files. A malicious user can use this flaw to overwrite files with permissions of the user running the rt command line tool. (CVE-2013-3368)
- A malicious user who is allowed to see administration pages can run arbitrary Mason components (without control of arguments), which may have negative side-effects. (CVE-2013-3369)
- RT allows direct requests to private callback components, which could be used to exploit a Request Tracker extension or a local callback which uses the arguments passed to it insecurely. (CVE-2013-3370)
- Cross-site scripting attacks via attachment filenames. (CVE-2013-3371)
- HTTP header injection limited to the value of the Content-Disposition header. (CVE-2013-3372)
- A MIME header injection in outgoing email is possible via email templates. (Stock templates are resolved by updates, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines.) (CVE-2013-3373)
- Request Tracker is vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. However Request Tracker's default session configuration only uses Apache::Session::File when configured for Oracle databases. (CVE-2013-3374)
- RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. (CVE-2012-4733)
SolutionUpgrade to RT 3.8.17, 4.0.13, or later.