Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 18 Jan 2015 15:44:02 -0500 (EST)
From: cve-assign@...re.org
To: Damien Regad <dregad@...tisbt.org>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE request: CAPTCHA bypass in MantisBT


On Sat, 17 Jan 2015, Damien Regad wrote:

> Greetings,
>
> Please assign a CVE ID for the following issue
>
>
> Description:
>
> An attacker can get an unlimited amount of CAPTCHA "samples" with different 
> perturbations for the same challenge, which makes the whole captcha utterly 
> useless and very easy to bypass.
>
>
> Affected versions:
> <= 1.2.19
>
> Fixed in versions:
> 1.2.19 (not yet released)
>
> Patch:
> See Github [1]
>
> Credit:
> This vulnerability was reported [2] by Florent Daigniere from Matta 
> Consulting.
> The issue was fixed by Damien Regad (MantisBT Developer).
>
> References:
> Further details available in our issue tracker [2]
>
> [1] https://github.com/mantisbt/mantisbt/commit/39a92726
> [2] https://www.mantisbt.org/bugs/view.php?id=17984

Use CVE-2014-9624.  (Although 17984 apparently was not publicly accessible 
until 2015, the 39a92726 commit appears to have been uploaded to GitHub on 
December 29, 2014, and it clearly describes a security issue.  Therefore a 
2014 ID is used.)

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ