Date: Sun, 16 Apr 2017 19:06:07 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Re: MantisBT - Full admin access vulnerability - CVE-2017-7615 > A vulnerability exists in MantisBT where any users password can be reset: This is registered as CVE-2017-7615. It was discovered and reported to us by John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org). We didn't post it here before, as due to the severity of the issue we wanted to give the opportunity to our users to patch their systems before full public disclosure, so we notified them via private e-mail. Unfortunately someone decided to post it here (anonymously, too...) in spite of our request to keep the embargo, so here's the rest of the story. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released shortly. Until then, all MantisBT administrators are advised to patch their system immediately. Fixes are availble from our GitHub repository: - 2.3.x https://github.com/mantisbt/mantisbt/commit/cfbc5e54 - 2.2.x https://github.com/mantisbt/mantisbt/commit/46880ef6 - 1.3.x https://github.com/mantisbt/mantisbt/commit/14c61a8c MantisBT issue tracker reference: https://mantisbt.org/bugs/view.php?id=22690 Best regards D. Regad MantisBT developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ