Vulnerability CVE-2012-4732

Vulnerability Name:

CVE-2012-4732 (CCN-79610)

Assigned:

2012-10-25

Published:

2012-10-25

Updated:

2013-03-02

Summary:

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the authentication of users for requests that toggle ticket bookmarks.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-352

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: Best Practical Web site
Best Practical

Source: MITRE
Type: CNA
CVE-2012-4732

Source: CCN
Type: rt-announce
Security vulnerabilities in RT

Source: MLIST
Type: Patch, Vendor Advisory
[rt-announce] 20121025 Security vulnerabilities in RT

Source: OSVDB
Type: UNKNOWN
86714

Source: CCN
Type: SA51065
RT Multiple Vulnerabilities

Source: DEBIAN
Type: DSA-2567
request-tracker3.8 -- several vulnerabilities

Source: CCN
Type: OSVDB ID: 86714
RT Ticket Bookmark Toggling CSRF

Source: XF
Type: UNKNOWN
rt-unspecified-csrf(79610)

Vulnerable Configuration:

Configuration 1:

cpe:/a:bestpractical:rt:3.8.12:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:3.8.13:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:3.8.13:rc1:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:3.8.13:rc2:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:3.8.14:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:3.8.14:rc1:*:*:*:*:*:*

Configuration 2:

cpe:/a:bestpractical:rt:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.7:rc1:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.8:rc1:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.8:rc2:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:bestpractical:rt:4.0.0:rc6:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc5:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc7:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc4:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc8:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc3:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:3.8.12:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:bestpractical:rt:4.0.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:18385	P	DSA-2567-1 request-tracker3.8 - several	2014-06-23
oval:com.ubuntu.precise:def:20124732000	V	CVE-2012-4732 on Ubuntu 12.04 LTS (precise) - medium.	2012-11-11
oval:com.ubuntu.xenial:def:201247320000000	V	CVE-2012-4732 on Ubuntu 16.04 LTS (xenial) - medium.	2012-11-11
oval:com.ubuntu.trusty:def:20124732000	V	CVE-2012-4732 on Ubuntu 14.04 LTS (trusty) - medium.	2012-11-11
oval:com.ubuntu.xenial:def:20124732000	V	CVE-2012-4732 on Ubuntu 16.04 LTS (xenial) - medium.	2012-11-11

BACK