Vulnerability Name:

CVE-2008-1475 (CCN-41240)

Assigned:2008-03-07
Published:2008-03-07
Updated:2017-08-08
Summary:The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
CVSS v3 Severity:6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2008-1475

Source: CCN
Type: SourceForge.net Repository
View of /roundup/CHANGES.txt

Source: CCN
Type: SA29336
Roundup Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
29336

Source: SECUNIA
Type: Vendor Advisory
29375

Source: SECUNIA
Type: UNKNOWN
30274

Source: SECUNIA
Type: UNKNOWN
32805

Source: GENTOO
Type: UNKNOWN
GLSA-200805-21

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788

Source: CCN
Type: GLSA-200805-21
Roundup: Permission bypass

Source: CCN
Type: OSVDB ID: 43108
Roundup xmlrpc-server Property Permission Verification Failure

Source: BID
Type: UNKNOWN
28238

Source: CCN
Type: BID-28238
Roundup XML-RPC Server Security Bypass Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2008-0891

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=436546

Source: XF
Type: UNKNOWN
roundup-xmlrpc-security-bypass(41240)

Source: XF
Type: UNKNOWN
roundup-xmlrpc-security-bypass(41240)

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2370

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2471

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9712

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9734

Vulnerable Configuration:Configuration 1:
  • cpe:/a:roundup-tracker:roundup:0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:pre1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:pre2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.3.0:pre3:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.4.2:pr1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.0:pr1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.8:stable:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.5.9:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b3:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.0:b4:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.8:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.10:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.6.11:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.0:b3:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.9:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.10:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.11:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.7.12:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.0:b2:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:0.9.0:b1:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundup-tracker:roundup:*:*:*:*:*:*:*:* (Version <= 1.4.3)

    • * Denotes that component is vulnerable
    BACK
    roundup-tracker roundup 0.1.0
    roundup-tracker roundup 0.1.1
    roundup-tracker roundup 0.1.2
    roundup-tracker roundup 0.1.3
    roundup-tracker roundup 0.2.0
    roundup-tracker roundup 0.2.1
    roundup-tracker roundup 0.2.2
    roundup-tracker roundup 0.2.3
    roundup-tracker roundup 0.2.4
    roundup-tracker roundup 0.2.5
    roundup-tracker roundup 0.2.6
    roundup-tracker roundup 0.2.7
    roundup-tracker roundup 0.2.8
    roundup-tracker roundup 0.3.0
    roundup-tracker roundup 0.3.0 pre1
    roundup-tracker roundup 0.3.0 pre2
    roundup-tracker roundup 0.3.0 pre3
    roundup-tracker roundup 0.4.0
    roundup-tracker roundup 0.4.0 b1
    roundup-tracker roundup 0.4.0 b2
    roundup-tracker roundup 0.4.1
    roundup-tracker roundup 0.4.2
    roundup-tracker roundup 0.4.2 pr1
    roundup-tracker roundup 0.5
    roundup-tracker roundup 0.5.0
    roundup-tracker roundup 0.5.0 beta1
    roundup-tracker roundup 0.5.0 beta2
    roundup-tracker roundup 0.5.0 pr1
    roundup-tracker roundup 0.5.1
    roundup-tracker roundup 0.5.2
    roundup-tracker roundup 0.5.3
    roundup-tracker roundup 0.5.4
    roundup-tracker roundup 0.5.5
    roundup-tracker roundup 0.5.6
    roundup-tracker roundup 0.5.7
    roundup-tracker roundup 0.5.8 stable
    roundup-tracker roundup 0.5.9
    roundup-tracker roundup 0.6.0
    roundup-tracker roundup 0.6.0 b1
    roundup-tracker roundup 0.6.0 b2
    roundup-tracker roundup 0.6.0 b3
    roundup-tracker roundup 0.6.0 b4
    roundup-tracker roundup 0.6.1
    roundup-tracker roundup 0.6.2
    roundup-tracker roundup 0.6.3
    roundup-tracker roundup 0.6.4
    roundup-tracker roundup 0.6.5
    roundup-tracker roundup 0.6.6
    roundup-tracker roundup 0.6.7
    roundup-tracker roundup 0.6.8
    roundup-tracker roundup 0.6.9
    roundup-tracker roundup 0.6.10
    roundup-tracker roundup 0.6.11
    roundup-tracker roundup 0.7.0
    roundup-tracker roundup 0.7.0 b1
    roundup-tracker roundup 0.7.0 b2
    roundup-tracker roundup 0.7.0 b3
    roundup-tracker roundup 0.7.1
    roundup-tracker roundup 0.7.2
    roundup-tracker roundup 0.7.3
    roundup-tracker roundup 0.7.4
    roundup-tracker roundup 0.7.5
    roundup-tracker roundup 0.7.6
    roundup-tracker roundup 0.7.7
    roundup-tracker roundup 0.7.8
    roundup-tracker roundup 0.7.9
    roundup-tracker roundup 0.7.10
    roundup-tracker roundup 0.7.11
    roundup-tracker roundup 0.7.12
    roundup-tracker roundup 0.8.0
    roundup-tracker roundup 0.8.0 b1
    roundup-tracker roundup 0.8.0 b2
    roundup-tracker roundup 0.8.1
    roundup-tracker roundup 0.8.2
    roundup-tracker roundup 0.8.3
    roundup-tracker roundup 0.8.4
    roundup-tracker roundup 0.8.5
    roundup-tracker roundup 0.8.6
    roundup-tracker roundup 0.9.0 b1
    roundup-tracker roundup 1.0
    roundup-tracker roundup 1.0.1
    roundup-tracker roundup 1.1.0
    roundup-tracker roundup 1.1.1
    roundup-tracker roundup 1.1.2
    roundup-tracker roundup 1.2.0
    roundup-tracker roundup 1.2.1
    roundup-tracker roundup 1.3.0
    roundup-tracker roundup 1.3.1
    roundup-tracker roundup 1.3.2
    roundup-tracker roundup 1.3.3
    roundup-tracker roundup 1.4.0
    roundup-tracker roundup 1.4.1
    roundup-tracker roundup 1.4.2
    roundup-tracker roundup *