Vulnerability CVE-2013-4410 - CERT Civis.Net

Vulnerability Name:

CVE-2013-4410 (CCN-88060)

Assigned:

2013-10-10

Published:

2013-10-10

Updated:

2019-12-13

Summary:

ReviewBoard: has an access-control problem in REST API

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2013-4410

Source: MISC
Type: Mailing List, Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.html

Source: MISC
Type: Mailing List, Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.html

Source: MISC
Type: Mailing List, Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.html

Source: MISC
Type: Mailing List, Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.html

Source: MISC
Type: Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.html

Source: CCN
Type: SA55208
ReviewBoard Security Bypass Security Issues and Code Execution Vulnerability

Source: CCN
Type: ReviewBoard Web site
Take the pain out of code review | Review Board

Source: CCN
Type: Review Board Web site
New security releases: Review Board 1.6.19 and 1.7.15

Source: CCN
Type: BID-62702
Review Board Access Bypass Vulnerability

Source: CCN
Type: BID-63022
Review Board CVE-2013-4410 Access Bypass Vulnerability

Source: MISC
Type: Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/63022

Source: MISC
Type: Broken Link
https://access.redhat.com/security/cve/cve-2013-4410

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4410

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/88060

Source: XF
Type: UNKNOWN
reviewboard-cve20134410-sec-bypass(88060)

Source: MISC
Type: Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2013-4410

Vulnerable Configuration:

Configuration 1:

cpe:/a:reviewboard:reviewboard:*:*:*:*:*:*:*:* (Version >= 1.6 and < 1.6.19)

OR cpe:/a:reviewboard:reviewboard:*:*:*:*:*:*:*:* (Version >= 1.7 and < 1.7.15)

Configuration 2:

cpe:/o:fedoraproject:fedora:18:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:19:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:20:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:reviewboard:reviewboard:1.6.18:*:*:*:*:*:*:*

OR cpe:/a:reviewboard:reviewboard:1.7.14:*:*:*:*:*:*:*

Denotes that component is vulnerable