Vulnerability Name:

CVE-2008-1475

Assigned:2008-03-07
Published:2008-03-07
Updated:2017-08-07
Summary:The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
CVSS v3 Severity:6.5 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
References:Source: GENTOO
Type: UNKNOWN
GLSA-200805-21

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788

Source: BID
Type: UNKNOWN
28238

Source: VUPEN
Type: UNKNOWN
ADV-2008-0891

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=436546

Source: XF
Type: UNKNOWN
roundup-xmlrpc-security-bypass(41240)

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2370

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2471

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9712

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9734

Vulnerable Configuration:Configuration 1:
  • cpe:/a:roundup-tracker:roundup:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:b3:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.8:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.10:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.9.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.9:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.10:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.11:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.12:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.11:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.9:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.8:stable:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:pre1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:pre2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:pre3:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.2:pr1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:pr1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b3:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b4:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.3:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    BACK
    roundup-tracker roundup 1.4.3
    roundup-tracker roundup 1.4.2
    roundup-tracker roundup 1.4.1
    roundup-tracker roundup 1.4.0
    roundup-tracker roundup 1.3.3
    roundup-tracker roundup 1.3.2
    roundup-tracker roundup 1.3.1
    roundup-tracker roundup 1.3.0
    roundup-tracker roundup 1.2.1
    roundup-tracker roundup 1.2.0
    roundup-tracker roundup 1.1.2
    roundup-tracker roundup 1.1.1
    roundup-tracker roundup 1.1.0
    roundup-tracker roundup 1.0
    roundup-tracker roundup 1.0.1
    roundup-tracker roundup 0.7.6
    roundup-tracker roundup 0.7.5
    roundup-tracker roundup 0.7.8
    roundup-tracker roundup 0.7.7
    roundup-tracker roundup 0.7.2
    roundup-tracker roundup 0.7.1
    roundup-tracker roundup 0.7.4
    roundup-tracker roundup 0.7.3
    roundup-tracker roundup 0.7.0 b2
    roundup-tracker roundup 0.7.0 b1
    roundup-tracker roundup 0.7.0
    roundup-tracker roundup 0.7.0 b3
    roundup-tracker roundup 0.6.8
    roundup-tracker roundup 0.6.7
    roundup-tracker roundup 0.6.10
    roundup-tracker roundup 0.6.9
    roundup-tracker roundup 0.8.6
    roundup-tracker roundup 0.9.0 b1
    roundup-tracker roundup 0.8.2
    roundup-tracker roundup 0.8.3
    roundup-tracker roundup 0.8.4
    roundup-tracker roundup 0.8.5
    roundup-tracker roundup 0.8.0 b1
    roundup-tracker roundup 0.8.0 b2
    roundup-tracker roundup 0.8.0
    roundup-tracker roundup 0.8.1
    roundup-tracker roundup 0.7.9
    roundup-tracker roundup 0.7.10
    roundup-tracker roundup 0.7.11
    roundup-tracker roundup 0.7.12
    roundup-tracker roundup 0.6.11
    roundup-tracker roundup 0.5.9
    roundup-tracker roundup 0.5
    roundup-tracker roundup 0.5.7
    roundup-tracker roundup 0.5.8 stable
    roundup-tracker roundup 0.5.5
    roundup-tracker roundup 0.5.6
    roundup-tracker roundup 0.5.3
    roundup-tracker roundup 0.5.4
    roundup-tracker roundup 0.5.1
    roundup-tracker roundup 0.5.2
    roundup-tracker roundup 0.1.1
    roundup-tracker roundup 0.1.0
    roundup-tracker roundup 0.1.3
    roundup-tracker roundup 0.1.2
    roundup-tracker roundup 0.2.1
    roundup-tracker roundup 0.2.0
    roundup-tracker roundup 0.2.4
    roundup-tracker roundup 0.2.5
    roundup-tracker roundup 0.2.2
    roundup-tracker roundup 0.2.3
    roundup-tracker roundup 0.2.8
    roundup-tracker roundup 0.3.0 pre1
    roundup-tracker roundup 0.2.6
    roundup-tracker roundup 0.2.7
    roundup-tracker roundup 0.3.0
    roundup-tracker roundup 0.4.0 b1
    roundup-tracker roundup 0.3.0 pre2
    roundup-tracker roundup 0.3.0 pre3
    roundup-tracker roundup 0.4.1
    roundup-tracker roundup 0.4.2 pr1
    roundup-tracker roundup 0.4.0 b2
    roundup-tracker roundup 0.4.0
    roundup-tracker roundup 0.5.0 pr1
    roundup-tracker roundup 0.5.0 beta2
    roundup-tracker roundup 0.5.0 beta1
    roundup-tracker roundup 0.4.2
    roundup-tracker roundup 0.6.0 b3
    roundup-tracker roundup 0.6.0 b2
    roundup-tracker roundup 0.6.0 b1
    roundup-tracker roundup 0.5.0
    roundup-tracker roundup 0.6.2
    roundup-tracker roundup 0.6.1
    roundup-tracker roundup 0.6.0
    roundup-tracker roundup 0.6.0 b4
    roundup-tracker roundup 0.6.6
    roundup-tracker roundup 0.6.5
    roundup-tracker roundup 0.6.4
    roundup-tracker roundup 0.6.3