oss-security - Re: MantisBT - Full admin access vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <od089o$htq$1@blaine.gmane.org>
Date: Sun, 16 Apr 2017 19:06:07 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: MantisBT - Full admin access vulnerability - CVE-2017-7615

> A vulnerability exists in MantisBT where any users password can be reset:

This is registered as CVE-2017-7615. It was discovered and reported to
us by John Page aka hyp3rlinx from ApparitionSec
(http://hyp3rlinx.altervista.org).

We didn't post it here before, as due to the severity of the issue we
wanted to give the opportunity to our users to patch their systems
before full public disclosure, so we notified them via private e-mail.

Unfortunately someone decided to post it here (anonymously, too...) in
spite of our request to keep the embargo, so here's the rest of the story.

The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be
released shortly.

Until then, all MantisBT administrators are advised to patch their
system immediately. Fixes are availble from our GitHub repository:

- 2.3.x https://github.com/mantisbt/mantisbt/commit/cfbc5e54
- 2.2.x https://github.com/mantisbt/mantisbt/commit/46880ef6
- 1.3.x https://github.com/mantisbt/mantisbt/commit/14c61a8c

MantisBT issue tracker reference:
https://mantisbt.org/bugs/view.php?id=22690

Best regards
D. Regad
MantisBT developer

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.